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Dear Mr. Secretary: 


It is a privilege for me to submit this report to you on 
behalf of the Secretary's Advisory Committee on Automated 
Personal Data Systems. The Committee believes that the 
report makes a significant contribution toward under- 
standing many of the problems arising from the applica- 
tion of computer technology to record keeping about 
people. Our recommendations provide the framework for 
general solutions and also specify actions to be taken 
both within HEW and by the Federal government as a whole. 


We are grateful for the interest that you have expressed 
in our work. Both you and former Secretary Richardson 
deserve praise for responding to public concern about the 
issues posed by automation of personal-data record-keeping 
operations. We have greatly appreciated the opportunity 
to be of service to you and the Department, and, we hope, 
to all our fellow citizens. 


Our undertaking has required the cooperation of many 
agencies and organizations and the assistance of many 
individuals. We wish to thank everyone at HEW who helped 
us. The contributions of individuals who served as our 
immediate staff are acknowledged in the Preface to the 
report. We wish to note particularly the remarkable 
diligence and devotion to our task of our Executive 
Director, David B. H. Martin, and Associate Executive 
Director, Carole Watts Parsons. 


Sincerely, 


Chairman 


Foreword 


Computers linked together through high-speed telecommunica- 
tions networks are destined to become the principal medium for 
making, storing, and using records about people. Innovations now 
being discussed throughout government and private industry recog- 
nize that the computer-based record keeping system, if properly 
used, can be a powerful management tool. Its capacity for timely 
retrieval and analysis of complex bodies of data can be of invaluable 
assistance to hard-pressed decision makers. Its ability to handle 
masses of individual transactions in minutes and hours rather than 
in weeks or months, as was formerly the case, makes possible 
programs of service to people that would have been unthinkable in 
the manual record-keeping era. Medicare, for example, would be 
impossible to administer without computers to take over many 
routine clerical functions. Computer-based public assistance pay- 
ments systems are also helping States and counties to assure that 
welfare payments go to those who truly need and deserve them. 
This Administration’s strategy calls for strengthening direct support 
of individuals—for putting cash directly in the hands of those who 
need it—and keeping accurate, up-to-date, easily retrieved records 
on individual beneficiaries helps achieve that goal. 

Nonetheless, it is important to be aware, as we embrace this new 
technology, that the computer, like the automobile, the skyscraper, 
and the jet airplane, may have some consequences for American 
society that we would prefer not to have thrust upon us without 
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warning. Not the least of these is the danger that some record- 
keeping applications of computers will appear in retrospect to have 
been oversimplified solutions to complex problems, and that their 
victims will be some of our most disadvantaged citizens. 

This report of the Secretary’s Advisory Committee on Auto- 
mated Personal Data Systems calls attention to issues of record- 
keeping practice in the computer age that may have profound 
significance for us all. 

One of the most crucial challenges facing government in the years 
immediately ahead is to improve its capacity to administer tax 
dollars invested in human services. To that end, we are attempting 
to eliminate ineligibility, overpayment, and other errors from 
welfare caseloads. We are encouraging local government and public 


and private service agencies to forge new cooperative links with one - 


another. We are attempting to move away from the fragmented 
social service structures of the past, which have dealt with 
individuals and with families as if their problems could be neatly 
compartmentalized; that is, as if they were not people. Many of 
these measures could result in more intensive and more centralized 
record keeping on individuals than has been customary in our 
society. Potentially, at least, this is a double-edged sword, as the 
Committee points out. On the one hand, it can help to assure that 
decisions about individual citizens are made on the basis of 
accurate, up-to-date information. On the other, it demands a hard 
look at the adequacy of our mechanisms for guaranteeing citizens 
all the protections of due process in relation to the records we 
maintain about them. 

The report of the Secretary’s Advisory Committee on Automated 
Personal Data Systems deserves to be widely read and discussed. It 
represents the views of an unusual mixture of experts and laymen. 
The Committee obviously considers its recommendations to be a 
reasonable response to a difficult set of problems. The Committee 
has taken a firm position with which some may disagree. However, 
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we should be grateful to the Committee for speaking with such a 
clear voice. In doing'so, it has no doubt set in motion the kind of 
constructive dialogue on which a free society thrives. 


[outils 


July, 1973 


Preface 


This is a report about changes in American society which may 
result from using computers to keep records about people. Its 
central concern is the relationship between individuals and record- 
keeping organizations. It identifies key issues and makes specific 
recommendations for action. 

The Secretary’s Advisory Committee on Automated Personal 
Data Systems was established by former Secretary of Health, 
Education, and Welfare Elliot L. Richardson in response to growing 
concern about the harmful consequences that may result from 
uncontrolled application of computer and telecommunications 
technology to the collection, storage, and use of data about 
individual citizens. The formation of the Committee rests upon a 
public interest determination made by Secretary Richardson which 
provides in part as follows: 


The use of automated data systems containing information 
about individuals is growing in both the public and private 
sectors... .The Department itself uses many such systems, and 
in addition, a substantial number. . .are used by other organi- 
zations, both public and private, with financial or other 
support. . .from the Department. .. .At the same time, there is 
a growing concern that automated personal data systems 
present a serious potentiat for harmful consequences, including 
infringement of basic liberties. This has led to the belief that 
special safeguards should be developed to protect against 
potentially harmful consequences for privacy and due process. 
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The Committee was asked to analyze and make recommenda- 
tions about: ‘ 


e Harmful consequences that may result from using auto- 
mated personal data systems; 


¢ Safeguards that might protect against potentially harmful 
consequences; 


e Measures that might afford redress for any harmful conse- 
quences; 


e Policy and practice relating to the issuance and use of Social 
Security numbers. 


The Committee’s membership encompassed a broad range of ex- 
pertise and experience and an equally diverse range of viewpoints. 
Some members came from the social service professions where 
large-scale data banks are a fact of life, not a probable future 
development. Others came from management backgrounds in both 
government and private industry. Many have had practical ex- 
perience in operating or using automated personal data systems in 
settings ranging from a nationwide credit-bureau network to the 
program management information system of a State government. 
Others came from the academy, and from parts of the research 
community concerned with applying knowledge developed by the 
information sciences. Two members of the Committee were State 
legislators; one was a labor union official; others were lawyers and 
private citizens. 

Given this diversity, it should be no surprise that at our first 
meetings, in the spring of 1972, the views of individual members on 
the significance of applying computer technology to personal-data 
record keeping sometimes differed sharply. Many, indeed probably 
most, did not initially feel a sense of urgency about the potential ill 
effects of current practices in the design and operation of 
automated personal data systems. Some agreed that computer-based 
record keeping poses a latent danger to individual citizens, but 
looked ‘optimistically to technological innovations, particularly 
access-control devices, to prevent problems from arising. Others 
painted dramatic portraits of the potential benefits of large-scale 
data networks to citizens in a densely populated, highly mobile 
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society—benefits that would accrue to all social and economic 
classes, enhancing knowledge, increasing the efficiency of social 
services, and expanding personal freedom. 

Slowly, however, the attitudes of the members changed. Shared 
concerns took root as we heard testimony from over 100 witnesses 
representing more than 50 different organizations, and as we 
reviewed a substantial collection of written materials, including 
reports by similar commissions in this country, Canada, Great 
Britain, and Sweden. The Committee also gathered information on 
related studies and fact-finding efforts through a special inquiry to 
approximately 250 trade and professional associations and public 
interest groups. (Appendix A lists the individuals who appeared 
before the Committee and the groups and organizations to which 
our letter of inquiry was sent.) 

Out of this array of personal contacts, written communications, 
and published documents, our report to the Secretary has emerged. 
We perceive ourselves as sharing concerns and perspectives ex- 
pressed in other recent reports on computer-based record keeping, 
among them Privacy and Computers (1972), the report of a task 
force established jointly by the Canadian Departments of Commun- 
ications and Justice; Data and Privacy (1972), the. report of the 
Swedish Committee on Automated Personal Systems; and Data- 
banks in a Free Society (1972), the report of the National Academy 
of Sciences Project on Computer Databanks. 

Our undertaking has required the cooperation of many agencies 
and organizations and the assistance of many individuals to all of 
whom we are grateful. We thank all those in HEW who helped us, 
noting particularly the generous cooperation of Al Guolo, James J. 
Trainor, Mrs. Lottie C. Owen, and James D. Smith. The Assistance 
of those who worked as our immediate staff and consultants de- 
serves special acknowledgement as follows: 


For general research support and helping to make our meetings 
productive—Paul J. Corkery, John P. Fanning, Courtney B. 
Justice, Nancy J. Kleeman, Terrence D.C. Kuch, Carolyn 
Lewis, William L. Marcus, John J. Salasin, Leonard Sherp, 
Frederick H. Sontag, Lindsay Spooner, Jeffrey L. Steele, and 
Lynn Zusman; 


For legal research and drafting—John P. Fanning; 
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For helping to prepare and edit drafts of the report and for 
preparing appendices — John P. Fanning, Terrence D.C. Kuch, 
Daniel H. Lufkin, Lindsay Spooner, and Patricia Tucker; 


For typewriting and proofreading draft after draft of the 
report — Claire I. Hunkin, Rose Schiano, and Patricia Young; 


For painstaking administrative support — Beverlyann Garfield, 
Ronald C. Lett, James F. Sasser, Rose Schiano, and Helen C. 
Szpakowski. 


Finally, we wish to note especially the dedication and complete 
personal commitment to all aspects of the Committee’s undertaking 
by David B.H. Martin, Special Assistant to the Secretary, who 
served as Executive Director for the Committee, and Carole Watts 
Parsons, Associate Executive Director. Without their patient prod- 
ding and tireless efforts, this report could not have been completed. 


Willis H. Ware, Chairman 
Secretary’s Advisory Committee on 
Automated Personal Data Systems 
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Summary andRecommendations 


The Secretary’s Advisory Committee on Automated Personal 
Data Systems comprised a cross section of expérienced and 
concerned citizens appointed by the Secretary of Health, Educa- 
tion, and Welfare to analyze the consequences of using computers 
to keep records about people. The Committee assessed the impact 
of computer-based record keeping on private and public matters 
and recommended safeguards against its potentially adverse effects. 
The Committee paid particular attention to the dangers implicit in 
the drift of the Social Security number toward becoming an 
all-purpose personal identifier and examined the need to insulate 
statistical-reporting and research data from compulsory legal pro- 
cess. 

The Committee’s report begins with a brief review of the 
historical development of records and record keeping, noting the 
different origins of administrative, statistical, and intelligence 
records, and the different traditions and practices that have grown 
up around them. It observes that the application of computers to 
record keeping has challenged traditional constraints on record- 
keeping practices. The computer enables organizations to enlarge 
their data-processing capacity substantially, while greatly facilitat- 
ing access to recorded data, both within organizations and across 
boundaries that separate them. In addition, computerization creates 
a new class of record keepers whose functions are technical and 
whose contact with the suppliers and users of data are often 
remote. 
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The report explores some of the consequences of these changes 
and assesses their potential for adverse effect on individuals, 
organizations, and the society as a whole. It concludes that the net 
effect of computerization is that it is becoming much easier for 
record-keeping systems to affect people than for people to affect 
record-keeping systems. Even in non-governmental settings, an 
individual’s control over the use that is made of personal data he 
gives to an organization, or that an organization obtains about him, 
is lessening. 

Concern about computer-based record keeping usually centers on 
its implications for personal privacy, and understandably so if 
privacy is considered to entail control by an individual over the uses 
made of information about him. In many circumstances in modern 
life, an individual must either surrender some of that control or 
forego the services that an organization provides. Although there is 
nothing inherently unfair in trading some measure of privacy fora 
benefit, both parties to the exchange should participate in setting 
the terms. 

Under current law, a person’s privacy is poorly protected against 
arbitrary or abusive record-keeping practices. For this reason, as 
well as because of the need to establish standards of record-keeping 
practice appropriate to the computer age, the report recommends 
the enactment of a Federal ‘Code of Fair Information Practice” for 
all automated personal data systems. The Code rests on five basic 
principles that would be given legal effect as “safeguard require- 
ments” for automated personal data systems. 


e There must be no personal data record-keeping systems 
whose very existence is secret. 


e There must be a way for an individual to find out what 
information about him is in a record and how it is used. 


e There must be a way for an individual to prevent 
information about him that was obtained for one purpose 
from being used or made available for other purposes 
without his consent. 


e There must be a way for an individual to correct or 
amend a record of identifiable information about him. 
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e Any organization creating, maintaining, using, or dis- 
seminating records of identifiable personal data must assure 
the reliability of the data for their intended use and must 
take precautions to prevent misuse of the data. 


The proposed Code calls for two sets of safeguard requirements; 
one for administrative automated personal data systems and the 
other for automated personal data systems used exclusively for 
statistical reporting and research. Special safeguards are recom- 
mended for administrative personal data systems whose statistical- 
reporting and research applications are used to influence public 
policy. 

The safeguard requirements define, minimum standards of fair 
information practice. Under the proposed Code, violation of any 
safeguard requirement would constitute “unfair information prac- 
tice” subject to criminal penalties and civil remedies. The Code 
would also provide for injunctive relief. Pending legislative enact- 
ment of such a code, the report recommends that the safeguard 
requirements be applied through Federal administrative action. 

The report discusses the relationship of existing law to the 
proposed safeguard requirements. It recommends that laws that do 
not meet the standards set by the safeguard requirements for 
administrative personal data systems be amended and that legisla- 
tion be enacted to protect personal data used for statistical 
reporting and research from compulsory disclosure in identifiable 
form. 

The report examines the characteristics and implications of a 
standard universal identifier and opposes the establishment of such 
an identification scheme at this time. After reviewing the drift 
toward using the Social Security number (SSN) as a de facto 
standard universal identifier, the Committee recommends steps to 
curtail that drift. A persistent source of public concern is that the 
Social Security number will be used to assemble dossiers on 
individuals from fragments of data in widely dispersed systems. 
Although this is a more difficult technical feat than most laymen 
realize, the increasing use of the Social Security number to 
distinguish among individuals with the same name, and to match 
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records for statistical-reporting and research purposes, deepens the 
anxieties of a public already suffused with concern about surveil- 
lance. If record-keeping systems and their data subjects were 
protected by strong safeguards, the danger of inappropriate record 
linkage would be small; until then there is a strong case to be made 
for discouraging linkage. 


The report recommends that use of the Social Security number 
be limited to Federal programs that have a specific Federal 
legislative mandate to use the SSN, and that new legislation be 
enacted to give an individual the right to refuse to disclose his SSN 
under all other circumstances. Furthermore, any organization or 
person required by Federal law to obtain and record the SSN of any 
individual for some Federal program purpose must be prohibited 
from making any other use or disclosure of that number without 
the individual’s informed consent. 

The report recognizes the need to improve the reliability of the 
Social Security number as an instrument for strengthening the 
administration of certain Federally supported programs of public 
assistance. It also recognizes that issuing Social Security numbers to 
ninth-grade students in schools is likely to be consistent with the 
needs and convenience of young people seeking part-time employ- 
ment and who need an SSN for Social Security and Federal income 
tax purposes. Accordingly, the Committee endorses the recommen- 
dation of the Social Security Task Force that a positive program of 
issuing SSNs to ninth-grade students in schools be undertaken. It 
does so, however, on the condition that no school system shall be 
induced to cooperate in such a program against its will, and that 
any person shall have a right to refuse to be issued an SSN in 
connection with such a program. The Committee recommends that 
there be no positive program of issuing SSNs to children in schools 
below the ninth-grade level; and that the 1972 legislation amending 
the Social Security Act to require enumeration of ali persons who 
benefit from any Federally supported program be interpreted 
narrowly. Finally, the Committee recommends legislation to pro- 
hibit use of the Social Security number for promotional or 
commercial purposes. 

The last chapter of the report contains an agenda of actions to be 
taken for implementing the Committee’s recommendations, which 
are set forth in full below. 
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RECOMMENDATIONS 


Code of Fair Information Practice 


We recommend the enactment of legislation establishing a Code 
of Fair Information practice for all automated personal data 
systems. 


e The Code should define ‘‘fair information practice” as 
adherence to specified safeguard requirements. 


e The Code should prohibit violation of any safeguard require- 
ment as an “unfair information practice.” 


e The Code should provide that an unfair information 
practice be subject to both civil and criminal penalties. 


e The Code should provide for injunctions to prevent 
violation of any safeguard requirement. 


e The Code should give individuals the right to bring suits 
for unfair information practices to recover actual, liqui- 
dated, and punitive damages, in individual or class actions. 
It should also provide for recovery of reasonable attorneys’ 
fees and other costs of litigation incurred by individuals 
who bring successful suits. 


Pending the enactment of a code of fair information practice, we 
recommend that all Federal agencies (i) apply the safeguard 
requirements, by administrative action, to all Federal systems, and 
(ii) assure, through formal rule making, that the safeguard require- 
ments are applied to all other systems within reach of the Federal 
government’s authority. Pending the enactment of a code of fair 
information practice, we urge that State and local governments, the 
institutions within reach of their authority, and all private 
organizations adopt the safeguard requirements by whatever means 
are appropriate. 
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Safeguards Requirements for 
Administrative Personal Data Systems 


I. GENERAL REQUIREMENTS 

A. Any organization maintaining a record of individually identifiable per- 
sonal data, which it does not maintain as part of an administrative automated 
personal data system, shail make no transfer of any such data to another 
organization, without the prior informed consent of the individual to whom 
the data pertain, if, as a consequence of the transfer, such data will become 
part of an administrative automated personal data system that is not subject to 
these safeguard requirements, 


B. Any organization maintaining an administrative automated personal data 
system shall: 


{1) Identify one person immediately responsible for the system, 
and make any other organizational arrangements that are 
necessary to assure continuing attention to the fulfillment of 
the safeguard requirements; 


(2) Take affirmative action to inform each of its employees 
having any responsibility or function in the design, develop- 
ment, operation, or maintenance of the system, or the use of 
any data contained therein, about all the safeguard requirements 
and al! the rules and procedures of the organization designed to 
assure compliance with them; 


(3) Specify penalties to be applied to any employee who 
initiates or otherwise contributes to any disciplinary or other 
punitive action against any individual who brings to the 
attention of appropriate authorities, the press, or any member 
of the public, evidence of unfair information practice; 


(4) Take reasonable precautions to protect data in the system 
from any anticipated threats or hazards to the security of the 
system; 


(5) Make no transfer of individually identifiable personal data 
to another system without {i) specifying requirements for 
security of the data, including limitations on access thereto, and 
(ii) determining that the conditions of the transfer provide 
substantial assurance that those requirements and limitations 
will be observed —-except in instances when an_ individual 
specifically requests that data about him be transferred to 
another system or organization; 
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(6) Maintain a complete and accurate record of every access to 
and use made of any data in the system, including the identity 
of all persons and organizations to which access has been given; 


(7) Maintain data in the system with such accuracy, complete- 
ness, timeliness, and pertinence as is necessary to assure 
accuracy and fairness in any determination relating to an 
individual’s qualifications, character, rights, opportunities, or 
benefits, that may be made on the basis of such data; and 


(8) Eliminate data from computer-accessible files when the data 
are no longer timely. 


I]. PUBLIC NOTICE REQUIREMENT 


Any organization: maintaining an administrative automated personal data 
system shall give public notice of the existence and character of its system once 
each year. Any organization maintaining more than one system shall publish 
such annual notices for all its systems simultaneously. Any organization 
proposing to establish a new system, or to enlarge an existing system, shall give 
public notice long enough in advance of the initiation or enlargement of the 
system to assure individuals who may be affected by its operation a reasonable 
opportunity to comment. Fhe public notice shall specify: 


(1) The name of the system; 

(2) The nature and purpose(s) of the system; 

(3) The categories and number of persons on whom data are (to 
be) maintained; 

(4) The categories of data (to be) maintained, indicating which 


categories are (to be) stored in computer-accessible files; 


(5) The organization’s policies and practices regarding data 
storage, duration of retention of data, and disposal thereof; 


(6) The categories of data sources; 


(7) A description of all types of use (to be) made of data, 
indicating those involving computer-accessible files, and includ- 
ing all classes of users and the organizational relationships 
among them; 


(8) The procedures whereby an individual can (i) be informed if 
he is the subject of data in the system; (ii) gain access to such 
data; and (iii) contest their accuracy, completeness, pertinence, 
and the necessity for retaining them; 
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(9) The title, name, and address of the person immediately 
responsible for the system. 


Hl. RIGHTS OF INDIVIDUAL DATA SUBJECTS 


Any organization maintaining an administrative automated personal data 


system shall: 


(1} Inform an individual asked to supply personal data for the 
system whether he is legally required, or may refuse, to supply 
the data requested, and also of any specific consequences for 
him, which are known to the organization, of providing or not 
providing such data; 


(2) Inform an individual, upon his request, whether he is the 
subject of data in the system, and, if so, make such data fully 
available to the individual, upon his request, in a form 
comprehensible to him; 


(3) Assure that no use of individually identifiable data is made 
that is not within the stated purposes of the system as 
reasonably understood by the individual, unless the informed 
consent of the individual has been explicitly obtained; 


(4) Inform an individual, upon his request, about the uses made 
of data about him, including the identity of all persons and 
organizations involved and their relationships with the system; 


(5) Assure that no data about an individual are made available 
from the system in response to a demand for data made by 
means of compulsory legal process, unless the individual to 
whom the data pertain has been notified of the demand; and 


(6) Maintain procedures that (i) allow an individual who is the 
subject of data in the system to contest their accuracy, 
completeness, pertinence, and the necessity for retaining them; 
{ii) permit data to be corrected or amended when the individual 
to whom they pertain so requests; and (iii) assure, when there 
is disagreement with the individual about whether a correction 
or amendment should be made, that the individual’s claim is 
noted and included in any subsequent disclosure or dissemina- 
tion of the disputed data. 
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Existing laws or regulations affording individuals greater protec- 
tion than the safeguard requirements should be retained, and those 
providing less protection should be amended to meet the basic 


standards set by the safeguards. In particular, we recommend 


° That the Freedom of Information Act be amended to 
require an agency to obtain the consent of an individual 
before disclosing in personally identifiable form exempted- 
category data about him, unless the disclosure is within the 
purposes of the system as specifically required by statute. 


° That pending such amendment of the Act, all Federal 

agencies provide for obtaining the consent of individuals 

before disclosing individually identifiable exempted-cate- 

end data about them under the Freedom of Information 
ct. 


e That the Fair Credit Reporting Act be amended to 
Provide for actual, personal inspection by an individual of 
his record along with the opportunity to copy its contents, 
Or to have copies made; and that the exceptions from 
disclosure to the individual now authorized by the Fair 
Credit Reporting Act for medical information and sources 
of investigative information be omitted. 


Statistical-Reporting and Research 
Uses of Administrative Personal Data Systems 


In light of our inquiry into the statistical-reporting and research 
uses of personal data in administrative record-keeping systems, we 
recommend that steps be taken to assure that all such uses are 


catried out in accordance with five principles: 


First, when personal data are collected for administrative 
purposes, individuals. should under no circumstances be 
coerced into providing additional personal data that are to 
be used exclusively for statistical reporting and research. 
When application forms or other means of collecting 
personal data for an administrative data system are de- 
signed, the mandatory or voluntary character of an individ- 
ual’s responses should be made clear. 
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Second, personal data used for making determinations 
about an individual’s character, qualifications, rights, bene- 
fits, or opportunities, and personal data collected and used 

for statistical reporting and research, should be processed 
and stored separately. 


Third, the amount of supplementary statistical-reporting 
and research data collected and stored in personally 
identifiable form should be kept to a minimum. 


Fourth, proposals to use administrative records for statis- 
tical reporting and research should be subjected to careful 
scrutiny by persons of strong statistical and research 
competence. 


Fifth, any published findings or reports that result from 
secondary statistical-reporting and research uses of adminis- 
trative personal data systems should meet the highest 
standards of error measurement and documentation. 


In addition, there are certain safeguards that can be feasibly 
applied to all administrative personal data systems used for 
statistical reporting and research. Specifically, we recommend that 
the following requirements be added to the safeguard requirements 
for administrative personal data systems: 


e Under I. General Requirements, add— 


C. Any organization maintaining an administrative automated personal data 
system that publicly disseminates statistical reports or research findings based 
on personal data drawn from the system, or from systems of other organiza- 
tions, shall: 


{1) Make such data publicly available for independent analysis, 
on reasonable terms; and 


(2) Take reasonable precautions to assure that no data made 
available for independent. analysis will be used in a way that 
might reasonably be expected to prejudice judgments about any 
individual data subject’s character, qualifications, rights, oppor- 
tunities, or benefits. 
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e Under the Public Notice Requirement, add— 


(8a) The procedures whereby an individual, group, or organiza- 
tion can gain access to data used for statistical reporting or 
research in order to subject such data to independent analysis. 


Systems Used Exclusively For 
Statistical Reporting and Research 


All the features of the Code of Fair Information Practice that we 
recommend for automated personal data systems would apply to 
systems used exclusively for statistical reporting and research. The 
safeguard requirements to be included in the Code for such systems 
are designed to help protect the individual citizen against unintend- 
ed or unforeseen uses of information that he provides exclusively 
for statistical reporting and research, and to help assure that the 
uses organizations make of such data are subject to independent 
expert review and open public discussion. Pending the enactment of 
a code of fair information practice, we recommend that all Federal 
agencies (i) apply these safeguard requirements, by administrative 
action, to all Federal statistical-reporting and research systems, and 
(ii) assure, through formal rule making, that the safeguard require- 
ments are applied to all systems within reach of the Federal 
government’s authority. Pending the enactment of a code of fair 
information practice, we also urge that State and local governments, 
the institutions within reach of their authority, and all private 
organizations adopt the safeguard requirements by whatever means 
are appropriate. 


Safeguard Requirements For 
Statistical-Reporting and Research Systems 


|. GENERAL REQUIREMENTS 


A. Any. organization maintaining a record of personal data, which it does 
not maintain as part of an automated personal data system used exclusively for 
statistical reporting or research, shall make no transfer of any such data to 
another organization without the prior informed consent of the individual to 
whom the data pertain, if, as a consequence of the transfer, such data will 
become part of an automated personal data system that is not subject to these 
safeguard requirements or the safeguard requirements for administrative per- 
sonal data systems. 
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B. Any organization maintaining an automated personal data system used 
exclusively for statistical reporting or research shall: 


(1) Identify one person immediately responsible for the system, 
and make any other organizational arrangements that are 
necessary to assure continuing attention to the fulfillment of 
the safeguard requirements; 


(2) Take affirmative action to inform each of its employees 
having any responsibility or function in the design, develop- 
ment, operation, or maintenance of the system, or the use of 
any data contained therein, about all the safeguard requirements 
and all the rules and procedures of the organization designed to 
assure compliance with them; 


(3) Specify penalties to be applied to any employee who 
initiates or otherwise contributes to any disciplinary or other 
punitive action against any individual who brings to the 
attention of appropriate authorities, the press, or any member 
of the public, evidence of unfair information practice; 


(4) Take reasonable precautions to protect data in the system 
from any anticipated threats or hazards to the security of the 
system; 


(5) Make no transfer of individually identifiable personal data 
to another system without {i) specifying requirements for 
security of the data, including limitations on access thereto, and 
(ii) determining that the conditions of the transfer provide 
substantial assurance that those requirements and limitations 
will be observed—except in- instances when each of the 
individuals about whom data are to be transferred has given his 
prior informed consent to the transfer; and 


(6) Have the capacity to make fully documented data readily 
available for independent analysis. 


Il. PUBLIC NOTICE REQUIREMENT 


Any organization maintaining an automated personal data system used 
exclusively for statistical reporting or research shall give public notice of the 
existence and character of its system once each year. Any organization 
maintaining more than one such system shall publish annual notices for all its 
systems simultaneously. Any organization proposing to establish a new system, 
or to enlarge an existing system, shall give public notice long enough in advance 
of the initiation or enlargement of the system to assure individuals who may be 
affected by its operation a reasonable opportunity to comment. The public 
notice shall specify: 
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(1) The name of the system; 
(2) The nature and purpose(s) of the system;- 


(3) The categories and number of persons on whom data are (to 
be) maintained; 


(4) The categories of data (to be) maintained, indicating which 
categories are (to be) stored in computer-accessible files; 


{5) The organization’s policies and practices regarding data 
storage, duration of retention of data, and disposal thereof ; 


(6) The categories of data sources; 


(7) A description of all types of use (to be) made of data, 
indicating those involving computer-accessible files, and includ- 
ing all classes of users and the organizational relationships 
among them; 


(8) The procedures whereby an individual, group, or organiza- 
tion can gain access to data for independent analysis; 


(9) The title, name, and address of the person immediately 
responsible for the system; 


(10) A statement of the system's provisions for data confiden- 
tiality and the legal basis for them. 


IN. RIGHTS OF INDIVIDUAL DATA SUBJECTS 


Any organization maintaining an automated personal data system used 
exclusively for statistical reporting or research shall: 


(1) Inform an individual asked to supply personal data for the 
system whether he is Jegally required, or may refuse, to supply 
the data requested, and also of any specific consequences for 
him, which are known to the organization, of providing or not 
providing such data; 


(2) Assure that no use of individually identifiable data is made 
that is not within the stated purposes of the system as 
reasonably understood by the individual, unless the informed 
consent of the individual has been explicitly obtained; 


(3) Assure that no data about an individual are made available 
from the system in response to a demand for data made by 
means of compulsory legal process, unless the individual to 
whom the data pertain (i) has been notified of the demand, and 
(ii) has been afforded full access to the data before they are 
made available in response to the demand. 
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In addition to the foregoing safeguard requirements for all 
automated personal data systems used exclusively for statistical 
reporting and research, we recommend that all personal data in such 
systems be protected by statute from compulsory disclosure in 
identifiable form. Federal legislation protecting against compulsory 
disclosure should include the following features: 


e The data to be protected should be limited to those used 
exclusively for statistical reporting or research. Thus, the 
protection would apply to statistical-reporting and research 
data derived from administrative records, and kept apart 
from them, but not to the administrative records them- 
selves. 

e The protection should be limited to data identifiable 
with, or traceable to, specific individuals. When data are 
released in statistical form, reasonable precautions to 
protect against “‘statistical disclosure” should be considered 
to fulfill the obligation to disclose data that can be traced to 
specific individuals. 


e The protection should be specific enough to qualify for 
non-disclosure under the Freedom of Information Act 
exemption for matters “‘specifically exempted from dis- 
closure by statute.” 5 U.S.C. 552(b)(3). 


e The protection should be available for data in the 
custody of all statistical-reporting and research systems, 
whether supported by Federal funds or not. 


e Either the data custodian or the individual about whom 
data are sought by legal process should be able to invoke the 
protection, but only the individual should be able to waive 
it. 


e The Federal law should be controlling; no State statute 
should be taken to interfere with the protection it provides. 


Use of the Social Security Number 


We take the position that a standard universal identifier (SUD 
should not be established in the United States now or in the 
foreseeable future. By our definition, the Social Security Number 
(SSN) cannot fully qualify as an SUI; it only approximates one. 
However, there is an increasing tendency for the Social Security 
number to be used as if it were an SUL There are pressures on the 
Social Security Administration to do things that make the SSN 
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We believe that any action that would tend to make the SSN 
more nearly an SUI should be taken only if, after careful 
deliberation, it appears justifiable and any attendant risks can be 
avoided. We recommend against the adoption of any nationwide, 
standard, personal identification format, with or without the SSN, 
that would enhance the likelihood of arbitrary or uncontrolled 
linkage of records about people, particularly between government 
and government-supported automated personal data systems. 

We believe that until safeguards against abuse of automated 
personal data systems have become effective, constraints should be 
imposed on use of the Social Security number. After that the 
question of SSN use might properly be reopened. 

As a general framework for action on the Social Security 


_ humber, we recommend that Federal policy with respect to use of 


the SSN be governed by the following principles: 


First, uses of the SSN should be limited to those necessary 
for carrying out requirements imposed by the Federal gov- 
ernment. 


Second, Federal agencies and departments should not re- 
quire or promote use of the SSN except to the extent that 
they have a specific legislative mandate from the Congress 
to do so. 


Third, the Congress should be sparing in mandating use of 

, the SSN, and should do so only after full and careful 
consideration preceded by well advertised hearings that 
elicit substantial public participation. Such consideration 
should weigh carefully the pros and cons of any proposed 
use, and should pay particular attention to whether effec- 
tive safeguards have been applied to automated personal 
data systems that would be affected by the proposed use of 
the SSN. (Ideally, Congress should review all present 
Federal requirements for use of the SSN and determine 
whether these existing requirements should be continued, 
repealed, or modified.) 


Fourth, when the SSN is used in instances that do not 
conform to the three foregoing principles, no individual 
should be coerced into providing his SSN, nor should his 
SSN be used without his consent. 

Fifth, an individual should be fully and fairly informed of 
his rights and responsibilities relative to uses of the SSN, 
including the right to disclose his SSN whenever he deems it 
in his interest to do so. 


In accordance with these principles, we recommend specific, 
preemptive, Federal legislation providing: 


(i) That an individual has a legal right to refuse to disclose 
his SSN to any person or organization that does not have 
specific authority provided by Federal statute to request it; 


(2) That an individual has the right to redress if his lawful 
refusal to disclose his SSN results in the denial! of a benefit, 
or the threat of denial of a benefit; and that, should an 
individual under threat of loss of benefits supply his SSN 
under protest to an unauthorized requestor, he shall not be 
considered to have forfeited his right to redress; and 


(3) That any oral or written request made to an individual 
for his SSN must be accompanied by a clear statement 
indicating whether or not compliance with the request is 
required by Federal statute, and, if so, citing the specific 
legal requirement. 


In addition, we recommend 


(4) That the Social Security Administration undertake a 
positive program of issuing SSNs to ninth-grade students in 
schools, provided (a) that no school system be induced to 
cooperate in such a program contrary to its preference; and 
(b) that any person shall have the right to refuse to be 
issued an SSN in connection with such a program, and such 
right of refusal shall be available both to the student and to 
his parents or guardians; 
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(S) That there be xo positive program of issuing SSNs to 
children below the ninth-grade level, either at the initiative 
of the Social Security Administration or in response to 
requests from schools or other institutions; 


(6) That the Secretary limit affirmative measures taken to 
issue SSNs pursuant to Section 205(c)\(2(B\HUD of the 
Social Security Act, as amended by Section 137 of Public 
Law 92-603, to applicants for or recipents of public 
assistance benefits supported from Federal funds under the 
Social Security Act; and 


(7) That the Secretary do his utmost to assure that any 
future legislation dealing with the SSN be preceded by full 
and careful consideration and well advertised hearings that 
elicit substantial public participation. 


With respect to organizations using the SSN, we recommend 


(8) That any organization or person required by Federal 
law to obtain or record the SSN of any individual be pro- 
hibited from making any use or disclosure of the SSN with- 
out the informed consent of the individual, except as may 
be necessary to the Federal purposes for which it was 
required to be obtained and recorded. This prohibition 
should be established by a epee: and preemptive act of 
Congress: 


(9) That the Social Security Administration provide “SSN 
services” to aid record keeping only to organizations or 
persons that are required by Federal law to obtain or record 
the SSN, and then only as necessary to fulfill the purposes 
for which the SSN is required to be obtained or recorded; 


(10) That the Social Security Administration provide “SSN 
services”’ to aid research activities only when it can assure 
that the provision of such services will not result in the use 
of the SSN for record-keeping and reporting activities 
beyond those permitted under recommendation (9), and 
then only provided that rigid safeguards to protect the 
confidentiality of personal data, including the SSN, are 
incorporated into the research design; and 

(11) That specific, preemptive Federal legislation be en- 
acted prohibiting use of an SSN, or any number represented 
as an SSN, for promotional or commercial purposes. 
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“The horror of that moment,” the King went 
on, “TI shall never, never forget!” 


“You will, though,” the Queen said, “if you 


don’t make a memorandum of it.”’ 


Lewis Carroll 
Through the Looking-glass 
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Records and Record Keepers 


Historical Development 


In Cabinet No. 1 of the Musée des Antiquités Nationales near 
‘Paris there lies a wing-bone of an eagle, not much longer than a 
finger. On it, three rows of tiny marks, each carefully engraved with 
a flint point, count off a calendar of days from new moon to new 
moon. That eagle bone from the Magdalenian period, roughly 
14,000 years ago, is the most ancient evidence we have of man’s 
unique ability use abstract notation as an aid to memory. 

Out of the Stone Age, through the dawn of agriculture, similar 
records in all pre-literate cultures attest to the attempts of hunters, 
gatherers, and farmers to keep track of the passing of the seasons 
and the meshing cycles of growth and harvest on which survival 
depended. Even long after more complex societies had fostered 
more elaborate forms of written record keeping, simple tally 
scratches, half practical and half magical, continued to serve as 
records—on the tally sticks of millers, for example, and on the 
six-guns of Jawmen. 

Record-keeping techniques grew and were perfected as once- 
scattered tribes and small communities were amalgamated into 
larger and more organized states. Among the ancient cradles of 
civilization—Asia Minor, China, India, and Central and South 
America—only the Inca civilization of the Andes did not develop a 
written method of recording, using instead a system of knotted 
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cords, called guipu. Indeed, practically all the earliest writing deals 
with records—palace inventories, lists of tribute to kings and 
sacrifices to temples, records of royal births and deaths, traders’ 
accounts—records of things too important to trust to memory. 

In most of the ancient world, the scribes and clerks who 
developed systematic record keeping quickly expanded into general- 
ized public administration. In Sumer and other city-states of 
Mesopotamia, royal genealogies were embellished with accounts of 
battles, land. surveys included detailed descriptions of farms and 
villages, and tax records included commentaries on the tax laws that 
governed them. Gradually these commentaries were detached from 
records proper and took on a separate existence. The law code of 
Hammurabi, for example, emerged from the notes of scribes and 
marks an important milestone in the history of social organization. 
Once the laws of the state achieved an existence independent of 
records, the witness of the records could be used to bind the state 
and the citizen equally. When both the tax laws and the size of a 
man’s herd were matters of public record, the pressure of public 
scrutiny would tend to keep both the publican and the herdsman 
honest. 

Systematic record keeping in the ancient world reached a high 
point during the Roman Empire and then degenerated with the 
decline of strong central government. During the Middle Ages the 
levying of taxes was left largely in the hands of local strongmen 
who had little interest in record keeping. Although the laws of 
inheritance and the interest of the Church in proper sacramental 
procedures encouraged parishes to maintain registers of births, 
marriages, and deaths, those records seldom covered the bulk of the 
population. In some cases, however, rulers of newly conquered 
domains did order inventories and land surveys. One such was 
William the Conqueror’s survey, known as the Domesday Book, of 
the extent and value of landholdings in England in A.D. 1086. It 
became the foundation of Exchequer records that, in turn, grew to 
include audits of the accounts of sheriffs and other local officials. 
The memory-aiding function of these records is suggested by the 
title of the official responsible for keeping them—King’s Remem- 
brancer. 

As a landmark in the gradual evolution from personal sovereignty 
to bureaucratic administration, the Magna Carta of A.D. 1215 laid 
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the foundation in Anglo-Saxon legal tradition for codifying mutual 
responsibilities of government and governed. The Magna Carta, 
wrested from King John by his powerful barons, reduced the 
independence of justices, sheriffs, and other local officials, ensuring, 
in theory at least, that men who knew the common law and were 
willing to observe it would hold positions of high authority. During 
the reign of King John also, an administrative distinction between 
public and closed records began to be observed; official records 
were divided into letters patent that were sent and stored open, 
with the king’s seal attached for authentication, and letters close 
that were sent folded and sealed, and that were stored secure from 
public inspection. The use and content of these two classes of 
records corresponds well, as we shall see, with the modern practice 
of separating public from confidential records. 

As custom and statute more and more provided that government 
records should be open to the public, the justification for closed or 
secret records came to be their pertinence to the defense and 
security of the state. By the mid-1600’s, afl royal courts maintained 
files' of information on the identity and activities of citizens or 
aliens who were considered a threat to the state or the sovereign. 
Such files covered a small number of individuals by today’s 
standards, but were treated with great secrecy and came to be the 
responsibility of a special class of record keeper well outside the 
regular channels of administration. The scope and intensity of this 
special field of record keeping soon gave it a character so different 
from its bureaucratic origins that it becomes convenient at this 
point to draw a distinction between general administrative records 
and the very special intelligence records. 

As the idea gradually spread that governing a state involved more 
than determining and following the wishes of a small ruling class, 
government became less desultory, more aligned to philosophical 
currents, and less reactive to the press of random events. As 
government thus grew more self-conscious, the need for planning 
became apparent. At first, legislators used their right of access to 
public records mainly to look backwards; to reconstruct the flow of 


‘The use of the word “file” in this sense dates from the 1640’s. See “File,” Oxford 
English Dictionary, 1933, FV, 210. 
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history that had brought them to their present position. However, 
lawmakers bent on reform soon found that they needed better 
guides than records of legal decisions, royal correspondence, and 
official accounts and audits. They needed benchmark information 
from which to measure progress toward the goals they wish to 
achieve. 

About 1750, the notion of a national census was revived for the 
first time since the Roman era. Public opposition was strong at first, 
many people suspecting a scheme to raise taxes. The clergy, for 
whom the Biblical injunction against the taking of a census still 
held,? also were onposed. Resistance gradually subsided; first in 
Scandinavia and the German states, then generally throughout the 
Continent and North America. In the American democracy, where a 
State’s Congressional representation constitutionally depends in 
part on the size of its population, a national census, at least to the 
extent of a simple head count, was an obvious political necessity. 

Government soon found that although there was little organized 
public objection to the head count as such, probing by census 
takers for information about income, family life, living habits, and 
other personal matters turned citizens obstinate and made the 
census more difficult to take. 

The problem of gathering information from an antagonistic 
public led to the creation of yet another class of official records, 
the so-called statistical’ file. The essence of such a file is that the 
data it contains are not used to affect specific individuals. In 
creating such a file, the government, in order to gain information 
the public might otherwise be reluctant to give, foregoes some of 
the power over individuals that administrative records containing 
the same data would afford. The essential condition is that citizens 
believe that their individual contributions to a statistical file will 
not be made public and will not be used to punish or embarrass 
them. 


211 Samuel 24 and I Chronicles, 21, 23, 27. 

>The word statistics [state-istics} came into use in the late 18th century to denote 
information on the condition of a state. See “Statistics,” Oxford English Dictionary, 
1933, X, 864. 
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Types of Records About People 


As we approach the computer age in this brief survey of record 
keeping, we need to define the three main types of records that 
have been distinguished historically .* 


Administrative Records. The administrative record is often 
generated in the process of a transaction—marriage, gradua- 
tion, obtaining a license or permit, buying on credit, or 
investing money. Usually a record that refers to an 
individual includes an address or other data sufficient for 
identification. Personal data in an administrative record 
tends to be self-reported or gathered through open inspec- 
tion of the subject’s affairs. Private firms usually treat 
administrative records pertaining to individuals as proprie- 
tary information, while administrative records held by the 
government are normally accessible to the public and may 
be shared for administrative purposes among various agen- 
cies. Administrative records sometimes serve as credentials 
for an individual; birth certificates, naturalization papers, 
bank records, and diplomas all serve to define a person’s 
status. 


Intelligence Records. The intelligence record may take a 
variety of forms. Familiar examples are the security 
clearance file, the police investigative file, and the consumer 
_ credit report. Some of the information in an intelligence 
record may be drawn from administrative records, but much 
of it is the testimony of informants and the observations of 
investigators. Intelligence records tend to circulate among 
intelligence-gathering organizations and to be shared selec- 
tively with organizations that make administrative determi- 
nations about individuals. Intelligence records are seldom 
deliberately made public, except as evidence in legal 
proceedings. 


*The classification follows that of Prof. Alan Westin in M. Greenberger (Ed.), 
Computers, Communications, and the Public Interest (Baltimore, Md.: The Johns Hopkins 
Press), 1971, p. 156. 
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Statistical Records. A statistical record is typically created 
in a population census or sample survey. The data in it are 
usually gathered through a questionnaire, or by some other 
method designed to assure the comparability of individual 
responses. In nearly al! cases, the identity of the record 
subject is eventually separated from the data in the record. 
If a survey must follow a given individual for a long time, 
his identity is often encoded, with the key to the code 
entrusted to a separate record to guard anonymity. Data 
from administrative records are sometimes used for statisti- 
cal purposes, but statistical records about identifiable 
individuals are generally not used for administrative or 
intelligence purposes. 


Not every record falls clearly into one of these three categories. 
The contemporary personnel record combines features of both 
administrative and intelligence records, and the records in the 
modern ‘‘management information system’? have both adminis- 
trative and statistical uses. Many records share characteristics of all 
three types to some degree. Yet whether one looks at the 
relationships among records of different types historically, from the 
perspective of present-day public policy, or from the point of view 
of the individuals who are the subjects of records, it is apparent 
that, by and large, administrative records are considered public; 
intelligence records, secret; and statistical records, anonymous. 
Moreover, democratic traditions with respect to the maintenance of 
government records about people have deep historical roots in a 
number of countries,> and appear to be dominated by three major 
principles. 

e An organization should record only information that has 
a clear-cut relevance to its concerns. Religious data, for 
example, should not be recorded where there is no state 
supported church, and citizens should not be required to 
furnish extraneous data as the price of obtaining a benefit. 


5 The reader who is interested in comparing the American experience with that of other 
nations will find a summary of available material in Appendix B, below, 
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e As much as possible, information that has been collected 
should be held in public files so that public scrutiny can act 
as a check on the arbitrary exercise of administrative 
authority. Closed files in government should be the excep- 
tion, and their content and use should be regulated by 
specific laws, both to limit their extent and to assure their 
confidentiality.® 


e The three types of records described above should be 
held separately, and each should be used only for its 
nominal purpose. The transfer of data from one type of 
record to another should take place only under controlled 
conditions. Records that do not fall neatly into one 
category, and record systems whose structure or use blurs 
the boundaries between types of records, demand special 
safeguards to protect personal privacy. 


From Record Keeping to Data Processing 


In this country, the end of World War II unleashed the deferred 
wants and pent-up purchasing power of the war years onto a 
labor-poor, capital-rich market. To help deal with the social and 
economic dislocations created, first, by demobilization, and later, 
by the Coid War, government kept in force many of the controls it 
had established during the years of all-out mobilization. The 
nation’s pride in its wartime accomplishments lent a tone of 
confidence to even the most ambitious planning. Industry, for its 
part, took advantage of new technologies emerging from wartime 
research and development to make revolutionary changes in its 
methods of producing and distributing goods and services. 


Acting together, these forces rapidly expanded commercial and 
governmental activities in the late forties and early fifties, forcing a 
vast increase in the volume of transactions requiring records about 
people. Compared with pre-war years, the number of bank checks 
written, the number of college students, and the number of pieces 
of mail al! nearly doubled; the number of income-tax returns 


6 The evolution of Federal policy with respect to the confidentiality of census data is 
traced in Appendix C; below. See also Daniel J. Boorstin, The Americans: The Democratic 
Experience (New York: Random House), 1973, Chapters 19-28. 
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quadrupled; and the number of Social Security payments increased 
by a factor of more than 35.’ 

Technology developed during the war years was available to meet 
the challenge posed by this rising tide of recorded transactions. 
Automated data processing, transplanted from its military origin, 
quickly blossomed into a powerful industry, feeding on the 
demands of commerce and government for fast and efficient data 
handling, and in turn, fueling that demand by significantly changing 
the philosophy and practice of management itself. Since most 
industries based on a highly technical product must quickly develop 
a mass market to recover the high development and tooling costs, 
the computer industry devoted much attention and talent to 
marketing its products, without appreciating the implications of the 
technological revolution it was unleashing. 

By the 1960’s, attractive prices, persuasive salesmen, and 
ingenious computer software services had stimulated the introduc- 
tion of automated data processing equipment into a great many 
record-keeping organizations, sometimes with far too little atten- 
tion to the objectives and costs of automation. Although there were 
many examples of diseconomies and a few outright failures, the 
successes were so spectacular that the prestige of having a large-scale 
data processing capacity often prompted managers to keep their 
computers running, even at a financial loss. 

The computer scored its earliest successes as a record keeper in 
fields where the data were mainly numerical. The speed with which 
the computer can do complex arithmetic, and the compactness of 
numerical data as compared to natural language, were major factors 
in quickly amortizing the considerable expense of installing a 
computer, and of converting an established record-keeping opera- 
tion to take full advantage of the computer’s capabilities. Thus, the 
earliest successes were heavily concentrated in science and engineer- 
ing, banking, insurance, and accounting, and, above all, in the space 
program, where the value of computers in handling the intricate 
logistics of production, assembly, and testing was soon discovered. 


7 Alan F, Westin, and Michael A, Baker, Databanks in a Free Society (New York: 


Quadrangie Books), 1972, pp. 224-225. 
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Systematic Management 


For computers to be used effectively as management tools, an 
organization must first analyze its activities in a careful, systematic 
way. For example, if it is known that the goals of an operation can 
be attained by more than one method, the various alternatives can 
in principle be simulated on the computer, and their relative costs 
and benefits thereby compared to find the most cost-effective one. 
This mathematical simulation of a complex activity is called 
systems analysis, 

During the late sixties, planners began to extend the techniques 
of systems analysis from their early engineering applications to 
more general problems of society. In particular, systems analysis 
was brought to bear on such ambitious tasks as improving the 
delivery of health care, managing the rapidly growing welfare 
caseload in urban centers, and measuring the effectiveness of a 
fragmented and increasingly expensive educational system. 

The introduction of the disciplined methods of computer-assisted 
management gave program managers new tools for ‘‘auditing’’ the 
performance of institutions in programs of service to people. This 
auditing process includes: 


e Keeping track of transactions between an organization 
and its clients or beneficiaries; 

e Measuring the performance of the organization in relation 
to the goals set for it; 

e Providing information needed for planning. 


Each of these functions involves information about individuals. 
Administrative data are needed for everyday management of 
individual transactions. Statistical data are needed for planning and 
for assessing the performance of a program. Intelligence data are 
needed for making judgments about people’s character and qualifi- 
cations; e.g., in making suitability determinations for employment, 
commercial credit, welfare assistance, tuition-loan aid, or disaster 
relief, 

The demand generated by all these uses for personal data, and for 
record-keeping systems to store and process them, challenges 
conventional legal and social controls on organizational record 
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keeping. Records about people are becoming both more ubiquitous 
and more important in everyday life. The number of organizations 
performing service and control functions is growing. In many cases, 
the scale of their operations virtually assures that the individuals 
they affect will be known to them only through the contents of 
systematically maintained records. A new technology is also 
demonstrating its potential to accommodate radical growth in 
organizational record-keeping operations. Yet society currently 
affords little protection for an individual who is the subject of a 
record, unless some commercial or property interest in involved. 

The following chapters represent our effort to demonstrate why 
this situation deserves immediate attention and to recommend a 
course of action that, we believe, constitutes an appropriate societal 
response to the problems at hand. 
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The potency of these data does not lie in their 
voluminousness, even where the assembled information 
does provide something like a full sketch of the person 
concerned. Rather, the strength of the data stems from 
its ability to bear meaningfully, unambiguously and 
quickly on decision-making problems faced by the 
systems, Specifically, the files are most useful where 
they enable the system quickly and unerringly to single 
out the minority of their clients who warrant some 
measure of social control. In their most refined form, 
these discrimination procedures involve highly subtle 
judgements, often predictive ones about the client's 
future behaviour, based on imaginative and interpretive 
use of the discrete facts on file. 


The press for economy in the compilation of data is 
matched in the patterns of its application to social 
control. Any of these systems can, for example, dispatch 
a representative expressly to accost delinquent clients; 
but as a regular measure this technique is difficult and 
expensive. Instead, the emerging pattern appears to be 
the extension of possible points of routine contact with 
the clientele, points through which clients must pass for 
their own purposes, At these points, the systems seek to 
develop means of quick identification and rapid informa- 
tion flow to enable them to bring the full weight of 
people’s records to bear in decision-making about 
them—and, where necessary, in action against them, As 
the inducements to place oneself in touch with these 
points becomes more potent, the efficiency of these 
operations increases, 


James B. Rule, Private Lives and 
Public Surveillance, 1973 


Copyright © 1973 by James B. Rule. Published in London by Allen Lane, a Division of 
Penguin Books Ltd. 


II 


Latent Effects of Computer- 
Based Record Keeping 


The dangers latent in the spread of computer-based personal-data 
record keeping stem, in our view, from three effects of computers 
and computer-related technology on an organization’s record- 
keeping practices. 


e Computerization enables an organization to enlarge its 
data-processing capacity substantially. 


e Computerization greatly facilitates access to personal 
data within a single organization, and across boundaries that 
separate organizational entities. 


e Computerization creates a new class of record keepers 
whose functions are technical and whose contact with 
original suppliers and ultimate users of personal data are 
often remote. 


These three effects on personal-data record-keeping are seldom 
observed in isolation from one another. Indeed, they are usually 
interdependent and may acquire a self-reinforcing momentum. The 
discussion that follows is focused on their potentially adverse con- 
sequences for individuals, for organizations, and for the society as a 
whole. It concentrates on aspects of computer-based record keeping 


a 
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that highlight the influence of the technology, but also recognizes 
that organizational objectives, bureaucratic behavior, and public 
attitudes account in part for many of the potentially undesirable 
effects we have identified. 


Too Much Data 


The bare statement that computerization enables an organization 
to enlarge its capacity to process information deserves amplifica- 
tion. Although the computer enables a large organization to handle 
more data, the cost of changing from a manual to an automated 
operation may practically compel a smaller organization to exploit 
its data-processing capacity more fully. The cost of setting up an 
automated system includes not only that of equipment and special 
facilities, but also the cost of system analysis and design, of writing 
and testing computer programs, and of converting manual records 
into computer-accessible form. Thus, the manager of a newly 
automated system may have a strong economic incentive to spread 
the initial cost over as large a data-processing volume as he can, and 
to economize wherever possible in providing services that do not 
make a direct contribution to the efficient operation of the system 
itself. A typical result of this condition is that clients receive 
erroneous bills, unjustified dunning letters, duplicate magazine 
subscriptions, and countless other symptoms of inadequate system 
design and operation. Although these may be more a nuisance than 
a threat, they contribute heavily to the popular image of computeri- 
zation as an offending and intrusive phenomenon. 

The annoyance factor is worth more attention than many system 
managers give it. Resentment engendered in customers at the mercy 
of a computerized billing system, for example, spills over onto 
other computer operations, making unemotional discussion of 
computerization in fundamentally more significant contexts diffi- 
cult, 

An early incentive to concentrate on efficiency may also foster a 
tendency to behave as though data management were the primary 
goal of a computer-based record-keeping operation. When this 
occurs, unnecessary constraints may be placed on the gathering, 
processing, and output of data, with the result that the system 
becomes rigid and insensitive to the interests of data subjects. A 
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commonly observed tendency in these situations is to make the 
data subject do as much of the data collection work as possible by 
forcing him to decide how to fit himself into a highly structured, 
but limited set of data categories (e.g., “Please check one of the 
following boxes.’’). 

This can be a way to cut down errors in transcribing data from 
one form of record to another, but when done solely in the interest 
of economy the system may well sacrifice flexibility and accuracy. 
It is true that data compression and ‘‘shorthand” record entries did 
not originate with the com puter; ill-adapted categorization has been 
the bane of bureaucracy for generations. However, manual record 
keeping can, at the stroke of a pen, take account of data that do 
not fit comfortably into pre-conceived categories, while a computer 
record is not usually amenable to any sort of annotation that was 
not expressly planned for in the design of the system. The relative 
inflexibility of computer-based record keeping, coupled with the 
constraints that some automated systems put on the freedom of 
data subjects to provide explanatory details in responding to 
questions, contributes to the so-called “dehumanizing” image of 
computerization. 

A recent occurrence in France illustrates how the inflexibility of 
an automated personal data system can adversely affect large num- 
bers of people.'. The computer facility of the national family 
allotment system, which disburses some $600 million annually to 
700,000 families in the Paris area, succumbed to the confusion 
created by changes in the allotment rate for nonworking wives, 
young people, and the handicapped. Efforts to unravel the diffi- 
culty were unsuccessful, and the computer center had to be 


‘reorganized as a manual operation in order to clear up an enormous 


backlog of emergency allotment payments. The disruption of 
human lives resulting from the inability to use the computer-based 
payments system was undoubtedly great and demonstrates why the 
difficulty of making even minor changes in the computer programs 
of a complex system gives cause for concern. Human bureaucracies 
exhibit similar rigidities, but their procedures can usually be 
changed by management directive, often by a simple promulgation 
of rules, and in a reasonably short time. In computer systems, how- 


' New York Times, January 26, 1973, p. 4. 
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ever, even a change that has the wholehearted support of ail con- 
cerned may be difficult and slow to effectuate. 

This problem can become even more serious when economies of 
scale are sought by consolidating the data-processing tasks of several 
organizations into one automated system serving all. The effects of 
dysfunction then fall not only on the customers of the system 
primarily at fault, but also on “bystander” data subjects and other 
organizations. 


Easy Access 


The second effect of computerization on personal-data record 
keeping—that it /facilitates access to data within a single organiza- 
tion and across boundaries normally separating organizations—is 
another source of concern. Quick, cheap access to the contents of a 
very large automated file often prompts an organization or group of 
organizations to indulge in what might be called ‘‘dragnet” 
behavior.” ~ 

An example of how a very carefully planned data system of 
ostensible social benefit operates as a dragnet is the National Driver 
Register of the Department of Transportation (more fully described 
in Appendix D). It provides a central data facility containing the 
names of individuals whose driver licenses are denied or withdrawn 
by a State. The purpose of the Register is to give each State access 
to the current revocation records of all other States, so that one 
may, if it wishes, avoid issuing a license to an individual whose 
license has been denied or withdrawn by another State. 

Suppose that Missouri revokes John Doe’s license for a serious 
offense. Doe applies in Illinois for a license, neglecting to mention 
the Missouri revocation. If Illinois issues Doe a license, it in effect 
nullifies Missouri’s action, without knowing it is doing so. Before 
the National Driver Register was established, Illinois would have 
had to make specific inquiry to all other States in order to discover 
the Missouri record of license withdrawal. Because this was time- 


? Although the term “dragnet” commonly connotes a system for catching criminals or 
others wanted by the authorities, the term, as used here, refers to any by stematic screen- 
ing of all members of a population jin order to discover 2 few members with specified 
characteristics, 
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consuming, States tended to do it only for blatantly suspicious 
cases with the presumable result that many fraudulent applications 
were never detected. Now that Doe’s record of license withdrawal 
goes into the master file of the National Driver Register, however, 
one query to the Register from Illinois will bring the Missouri 
action to light within 24 hours, thus permitting Iinois to make a 
decision to grant or withhold a license based upon the original 
Missouri record. 

How can a system whose only purpose is to prevent fraud by 
drivers of demonstrated unfitness have any adverse effect? The 
answer lies in the efficiency of the Register; it has become easier for 
most States to put ail their license applications routinely onto 
magnetic tape to be searched against the Register’s file, rather than 
to separate out the suspicious cases for special treatment. If one 
accepts the objectives of the system—to identify irresponsible or 
incompetent drivers, and thus to reduce the number of traffic 
fatalities—this is not in itself an objectionable practice. However, 
automated matching of queries against NDR records generates 
identity matches so imprecise that subsequent manual screening 
reduces the system’s 5000 possible “‘hits” per day to about 500 
probable ones. Of the probable hits, the operators of the Register 
estimate that about three quarters are ttue identifications; that is, 
they definitely relate to an individual who has misrepresented 
himself in a license application. Arithmetic does the rest; a quarter 
of the probable hits—125 individuals per day—may find that they 
are required to prove that their licenses have not been withdrawn. 
In theory, a reply from the Register is supposed to be treated 
merely as a “‘flag’’ to inform the inquiring State that there may be a 
record on the individual about whom the query was made in the 
revocation files of another State. At least one State, however, 
makes the “flagged” applicant bear the full burden of proving that 
such a record does not exist. Here, the “dragnet effect’? of cheap 
and easy data access—the fact that it is cheaper and more efficient 
to search the NDR on every license application—has resulted in 
occasional nuisance and potential injustice to some applicants. 

The problems that can arise from the operation of the NDR stem 
from its role as a clearinghouse for information supplied and used 
by more than 50 independent driver licensing jurisdictions whose 
operations it does not control. Each jurisdiction using the Register 
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risks being misled by incomplete or erroneous data submitted by 
another participating jurisdiction. Although mistakes propagated by 
the NDR can usually be corrected at small expense in time and 
trouble, other multijjurisdictional clearinghouses can have poten- 
tially more serious effects on individuals. The criminal history file 
of the FBI’s National Crime Information Center (NCIC) is one 
example. 

The NCIC is a computerized clearinghouse of information about 
wanted persons, stolen property, and criminal history records? that 
will eventually provide criminal justice agencies throughout the 
United States with computer-to-computer access to the data in its 
files, The ultimate objective of the NCIC criminal history file is to 
enable law enforcement agencies, courts, and correctional institu- 
tions to determine, in seconds, whether an individual has a criminal 
record. The NCIC would appear to lack the potential to be used as a 
dragnet because inquiries are made only about particular individuals 
with whom law enforcement agencies have contact under con- 
ditions that constitute cause for suspicion of wrongdoing. In this 
respect, it differs significantly from the operation of the National 
Driver Register. Furthermore, the problem of mistaken identifi- 
cation in using the criminal history files should not arise because of 
NCIC’s requirement that fingerprints be used to identify arrest and 
offender records entered into the system. (Errors of identification 
can and do occur in using the records in the wanted persons files 
because these are not identified by fingerprints. However, the ease 
with which inquiries can be made from remote terminals located in 
law enforcement and criminal justice agencies all over the country 
could lead to access to the NCIC criminal history files by more 
users and for checking on more individuals than is socially desirable. 

Leaving aside the question of the probative value of arrest 
records, about which lively controversy exists, the consequences of 
excessive use of criminal history files might be innocuous if the 
NCIC records could be completely reliable. In practice, however, 
the NCIC, like the National Driver Register, does not have effective 
control over the accuracy of all the information in its files. The 


3See Appendix E for a discussion of the development of computerized criminal justice 
information systems in the United States. 
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NCIC is essentially an automated receiver, searcher, and distributor 
of data furnished by others. If a subscribing system enters a par- 
tially inaccurate record, or fails to submit additions or corrections 
to the NCIC files (e.g., the recovery of a stolen vehicle or the 
disposition of an arrest), there is not much that the NCIC can do 
about it. 

Furthermore, the risk of propagating information that may lead 
to unjust treatment of an individual by law enforcement authorities 
in subscribing jurisdictions cannot be fully prevented.* 

The NCIC checks on records being entered into its files, and 
periodically audits its files to try to assure that system standards for 
completeness and accuracy of records are being met. When it de- 
tects errors or points of incompleteness, it can seek corrective 
action and can flag its records to warn users of possible deficiencies. 
In the cases of an arrest record, however, even if the source agency 
does eventually submit information about the disposition of the 
arrest, there is no way that the NCIC can assure that all those who 
have had access to the record in the interim will receive the dis- 
position information. Once a subscribing police department con- 
tributes an arrest report to the NCIC, that report is available to any 
qualified requestor in the system. In some States, this means that 
employers and licensing agencies (for physicians, barbers, plumbers, 
and the like) will have access to the record under State laws that 
require an arrest-record check on candidates for certain types of 
occupational certification. Thus, unless a criminal record infor- 
mation system is designed to keep track of all the ultimate users of 
each record released, and of every person who has seen it, any 
correction or emendation of the original record can never be certain 
to reach each holder of a copy. 

Systems like the NCIC and the National Driver Register illustrate 


*The NCIC system has been imitated by many city police departments whose systems 
respond to inquiries from law enforcement jurisdictions in adjacent suburbs, A suburban 
law enforcement officer first queries the city system to which his terminal is linked; if the 
file search there yields nothing, his query is passed on automatically to the State system 
and from there to the NCIC. These local systems have all the accuracy problems of the 
NCIC and some are currently the objects of law suits brought by their hapless victims. See, 
for example, “S.F.’s Forgetful Computer,” San Francisco Examiner, May 9, 1973, p. 3, 
and “Coast Police Sued as Computer Erts,’” New York Times, May 5, 1973, p. 23. Almost 
all of these cases involve the failure of a local jurisdiction to report the recovery of a stolen 
vehicle or the revocation of a warrant. 
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one of the potentially most significant effects of computerization 
on personal-data record keeping—the enhanced ability to gather, 
package, and deliver information from one organization to another 
in circumstances where lines of authority and responsibility are 
overlapping or ambiguous, and where the significance attached to 
data disseminated by the system may vary among subscribing 
organizations. Unless all organizations in a multi-jurisdictional 
system can be counted on to interpret and use data in the same 
way, the likelihood of unfair or inappropriate decisions about the 
individual to whom any given record pertains will be a problem, and 
a particularly acute problem whenever records are incomplete or 
compressed. The records of school children, for instance, while 
highly comparable within a single school district, will be less so 
among the districts of a single State, and even more disparate 
among different States. Thus, data systems that are established 
deliberately to pass information across jurisdictional lines must be 
very carefully designed so as to foster sensitive, discriminating use 
of personal data. 

The untoward effects of such systems (or of any system, for that 
matter) do not stem in the main from poor technical security. 
Although public mistrust of the computer often centers on the 
possibility of unauthorized access to a central data bank for 
purposes of blackmail or commercial exploitation (such as the 
clandestine copying of a list of names and addresses), the purely 
technical difficulties that can be placed in the path of any but the 
most well-equipped intruder can make almost every computer 
installation more secure than its manual counterpart. Unless an 
intruder has detailed technical knowledge of the system, and 
possibly also clandestine access to the facility itself, most systems 
can be quite well defended against “unauthorized” access (although 
at the present time many systems may not be well-defended). The 
problem is how to prevent “authorized” access for “‘unauthorized” 
purposes, since most leakage of data from personal data systems, 
both automated and manual, appears to result from improper 
actions of employees either bribed to obtain information, or 
supplying it to outsiders under a “buddy system” arrangement. 

Concern about abuses of authorized access to “‘integrated”’ data 
systems maintained by State and local governments can have a 
particularly debilitating effect on people’s confidence in their 
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governmental institutions. Ambitiously conceived integrated sys- 
tems, no matter how secure technically, may have the effect of 
blurring, either in fact or appearance, established lines of political 
accountability and constitutionally prescribed boundaries between 
branches of government. When different branches arrange to share 
an integrated data-processing facility and its data, the executive 
usually will operate it. This happens partly because operational 
functions are normal for the executive, and partly because 
executive agencies usually have more experience with computer 
systems. It leads people to fear, however, that the needs of 
executive claimants may be met before the needs of legislative 
bodies and the judiciary. The priority system for allocating 
computer support will, of course, look fair on paper, but in practice 
the result may often be to shortchange the passengers on the system 
in favor of the driver.* The recent development of mini-computers, 
much cheaper than the big systems of only five years ago but of 
comparable power, is providing an attractive economic alternative 
to large integrated systems. Large systems, however, are also 
becoming less expensive and there is no assurance that they will not 
become even more so as the result of new technological advance. 
Finally, in terms of the historical classification of records in 
Chapter I, we recognize that combining bits and pieces of personal 
data from various records is one way of creating an intelligence 
record, or dossier. The possibility of using a large computer to 
assemble a number of data banks into a ‘“‘master file” so that a 
dossier on nearly everybody could then be extracted is currently 
remote, since the ability to merge unrelated files efficiently depends 
heavily upon their having many features of technical structure in 
common, and also on having adequate information to match 
individual records with certainty. These technical obstacles are 


5 For a discussion of political issues raised by computer-based information systems in 
urban government, sce Anthony Downs, “The Political Payoffs in Urban Information 
Systems,” in Alan F. Westin (Ed.}, Information Technology in a Democracy (Cambridge, 
Mass.: Harvard University Press), 1971, pp. 311-321. 


In addition to incompatibilities of file structure, the expectation that some day “it 
will all be put together” also runs afoul of the tenacity with which record-keeping 
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avoided if the capability to merge whole files is designed into a 
group of systems at the outset, a practice now characteristic of only 
a few multi-jurisdictional systems but perhaps becoming more 
prevalent. At the present time, however, compiling dossiers from a 
number of unrelated systems presents problems that few organiza- 
tions, and probably no organizations outside of government, have 
the resources to solve.” 

Nonetheless, public concern about such combinations of data 
through linkings and mergers of files is well founded since any 
compilation of records from other records can involve crossing 
functional as well as geographic and organizational boundaries. 
When data from an administrative record, for example, become part 
of an intelligence dossier, neither the data subject nor the new 
holder knows what purpose the data may some day serve. 
Moreover, the investigator may believe that no detail is too small] to 
put into dossier, while the subject, for his part, can never know 
when some piece of trivia will close a noose of circumstantial 
evidence around him. Public sensitivity to the possibility of such 


(Continued) 

Organizations tend to protect their own turf. Certainly among private organizations 
competitive pressures sometimes inhibit the free circulation of information about clients 
and also induce resistance to sharing Jarge blocks of individually identifiable data with 
government agencies. The California Bankers Association, for example, is currently 
involved in litigation’ (Stark v.Connally,347 Fed. Supp. 1242, 1972) to prevent the 
Treasury Department from enforcing the reporting provisions of the so-called Bank 
Secrecy Act of 1970 (12 U.S.C. 1829b; 31 U.S.C. 1051-1122) with respect to domestic 
financial transactions. 

Tit should be noted that the same characteristics of automated systems which inhibit 
the compilation of dossiers can also inhibit efforts by the press and public interest groups to 
penetrate the decision-making processes of record-keeping organizations and expose them 
to public scrutiny. This is particularly true when organizations destroy “‘hard-copy” 
records after putting the information in them into computet-accessible form. In such 
cases, the computer can become a formidable gatekeeper, enabling a record-keeping 
organization to control access to public-record information that previously had been 
available to anyone with the time and energy to sift through its paper files. Putting 
public-record data in computer-accessible form can also increase the cost of piecing 
information together from several different files. The same programming costs that make 
it uneconomical for law enforcement investigators and private detectives to “fish” in the 
automated files of a credit bureau could also make it prohibitively expensive for private 
citizens to examine public records. 
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situations argues strongly for preserving the functional distinctions 
between different classes of personal data systems. 


Technicians as Record Keepers 


The reputation of the computer for impersonality and inhuman 
efficiency is due, in part, to the publicity given the computer as a 
poet, a chess-player, and a translator of exotic languages. ‘‘Machine 
intelligence” is a subject with fascinating technical and philo- 
sophical aspects. To date, however, there is no evidence that a 
computer capable of “‘taking over” anything it was not specifically 
programmed to take over is attainable. Indeed, as pointed out 
earlier, programming a computer to handle anything complicated is 
usually a very difficult and expensive job, requiring generous 
amounts of money, expertise, and management capability. 

It seems safe to predict that economic and organizational 
constraints on the uses of computers will not change radically 
during the next few years. Although computing power and 
data-storage capability are steadily becoming cheaper, and problem- 
oriented programming is being improved, no dramatic break- 
throughs are in sight. This prediction, however, cuts two ways. If 
we can comfortably assume that computers will not take contro! of 
anything on their own volition, we may still feel some disappoint- 
ment that the application of computers will tend to remain in the 
hands of trained specialists whose competence is primarily in data 
processing rather than in the fields that data processing serves. 
Some would say that this circumstance results from an abdication 
by managers of their proper role, but whatever the reason, the 
effect can easily be to insulate the record-keeping functions of an 
organization from the pressures of both consumers and suppliers of 
data. 

The presence of a specialized group of data-processing profes- 
sionals in an organization can create a constituency within the 
organization whose interests are served by any increase in data use, 
without much regard for the intrinsic value of the increased use. The 
point is underlined by an experience common to many organiza- 
tions. Some unit is already operating a computer facility for 
accounting, processing scientific or engineering data, or for some 
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other straightforward application to which the technology is 
well-adapted. Because the facility has extra computer time avail- 
able, it is soon discovered that attractive software packages can be 
purchased to enable the computer to enlarge its scope and become a 
“management information system.” 

Such systems are founded on the proposition that efficient 
decision making requires that managers have available to them a 
greater or more timely supply of relevant information than they 
have been getting. As commonly observed, however, most managers 
do not need more of relevant information nearly as badly as they 
need less of irrelevant raw data.® Thus, until the theory of 
management itself has progressed to a stage where the necessary 
data content of management-oriented systems can be predicted, 
their users are likely to find them disappointing. 

Another, potentially more serious, consequence of putting 
record keeping in the hands of a new class of data-processing 
specialists is that questions of record-keeping practice which involve 
issues of social policy are sometimes treated as if they were nothing 
more than questions of efficient technique. The pressure for estab- 
lishing a simple, identification scheme for locating records in com- 
puter-based systems is a case in point. 

The technical argument for having a standard universal identifier 
for records about individuals focuses on increasing the efficiency of 
record keeping and record usage. Proponents argue that if every 
item of data entered into an automated system could be associated 
with an identifier unique to the individual to whom the data 
pertain, updating, merging, and linking operations would be greatly 
simplified and far less error-prone than they are today. Moreover, 
records could be used more intensively; administrative records 
indexed by Social Security number, for example, could also be used 
for certain types of research which require matching data on 
individuals from several different record systems. 

To reap the full technical advantages of a standard identification 
scheme, it is necessary for each individual to supply the identifier 


® See, for example, Russell Ackoff, “Management Misinformation Systems,” in Westin, 
op. cit. , pp. 264-271. 
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assigned to him every time he has contact with a record-keeping 
organization using it. This practice is already familiar to the clients 
of banks, credit-card services, and many other organizations that 
have developed their own standard schemes. What worries people is 
that the inconvenience to record-keeping organizations of having to 
devise their own numbering arrangements will encourage the 
adoption of a single universal scheme for use in all computer-based 
personal data systems. If this happens, organizations that share an 
interest in monitoring and controlling the behavior of some portion 
of the population will acquire an enlarged capacity to do so, since 
they will all be able to know when an individual has contact with 
any one of them. Fingerprints, for example, are the standard 
method used by the police to identify persons arrested for crimes. 
Fingerprinting assures accurate identification and may seem a 
reasonable way of dealing with criminal offenders, but it is a 
dubious model for other types of record-keeping organizations to 
follow. 

It is, of course, a long step from having each individual identified 
in the same way in every data system to creating a giant national 
data bank of dossiers constructed from fragments of records on 
citizens in widely dispersed data systems. There would have to be 
some strong incentive for ‘‘putting it all together,” and as we noted 
earlier, it is doubtful that even the dollar cost of doing so could be 
justified on any reasonable grounds. However, it is not necessary to 
build a giant national data bank to experience some of the effects 
of having one. There are already systems in operation which have 
some of the control capabilities that such a centralized dossier 
system would create. 

One computer-based personal data system that came to our 
attention was a comprehensive health information system devel- 
oped and maintained by an agency of the Department of Health, 
Education, and Welfare on an Indian reservation in the Southwest. 
Approximately 10,000 Indians living in the area have records in the 
system and another 4,000 have records in it but, for one reason or 
another, are not part of the active patient population. These 14,000 
record subjects are, by and large, an economically dependent 
population with very serious health problems. Within the confines 
of the geographic area covered by the system—about the size of 
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Connecticut—they are also a highly mobile population, with each 
individual going by any one of several different names depending on 
circumstances. 

The health facility consists of a combination of in-patient, 
out-patient, and field-clinic services. The purpose of its computer- 
based record-keeping system is to develop a complete, cradle-to- 
grave, medical dossier on each individual eligible to use the facility, 
so that all can benefit from a comprehensive diagnostic and 
treatment program that aims to control illness by preventing its 
occurrence, or by taking preemptive steps at the first sign of a 
medical problem. 

The record-keeping system has three basic components: (1) an 
administrative one that notes and describes every contact each 
patient has with any segment of the health facility, including the 
“interdisciplinary” teams of doctors, nurses, and social workers 
who travel about administering tests and providing ambulatory 
health services; (2) a statistical-reporting one that attempts to 
observe fluctuations in the incidence of certain types of ailments 
and to pinpoint “high risk” groups needing special preventive 
attention; and (3) a “surveillance” one that consists of the recorded 
results of medical tests administered according to a schedule 
established by the health facility. The system is a little more than 
three years old. By the summer of 1972 it contained about 50 
million characters of data, or approximately 3,500 characters per 
patient-record. It accommodates data in narrative as well as 
standard computer-accessible form. 

The system is an elegant tool for addressing a complex set of 
social problems. It would be hard to argue that the patient 
population being cared for would be better off without the services 
the system makes possible. It is also apparent that knowing who an 
individual is, and the details of his medical history, can be of vital 
importance in treating patients, but the system has certain social 
control capabilities that should be noted nonetheless. 

The surveillance component, for example, has the primary 
purpose of discovering incipient medical problems in individual 
patients. To do this effectively, each patient must be induced to 
comply with the health facility’s testing schedule, and the health 
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data system can be used to encourage compliance. As long as a 
patient has no need for medical treatment, he can avoid the testing 
program. However, once he becomes a patient, for whatever reason, 
his record will be there at the doctor’s fingertips showing all tests he 
has not had but should be persuaded to have before he leaves the 
field clinic or wherever it is that he has come to the medical 
facility’s attention. In discussing a system serving such patently 
humane purposes, words like ‘“‘control”’ and “‘coercion’”’ may have 
an objectionable ring, but the coercive potential of the surveillance 
component, especially in some other area of application, is evi- 


dent.? 
In another environment, the statistical-reporting component of 


the system could also have potentially unsavory consequences for 
individuals. [t is characteristic of modern organizations to single out 
“high risk”? categories of people to whom the normal standards and 
rules do not apply. Often these high risk groups are identified from 
statistical studies of populations that use the services an organiza- 
tion offers. The consequences for any given individual exhibiting 
the characteristics of the high risk group may range from total 
exclusion (uninsurability) to being made eligible for special treat- 
ment (remedial education, free medical care), Although there is 
nothing intrinsically harmful in such practices, in dealing with 


human populations it is essential not to assume that any single f 


member of a statistically defined group will necessarily behave in 
the way predicted for the group as a whole. Theoretically, the 
adverse consequences of “statistical stereotyping” can be avoided 
by permitting an individual to know that he has been labelled a risk 
and to contest the label as applied to him. However, depending on 
the circumstances—and particularly on the stake that an organiza- 


tion may have in being able to predict the behavior of each individ- § 
ual in its clientele—a lone individual could have considerable 


difficulty making his case. 

Even the administrative record-keeping component of a compre- 
hensive data system can have coercive effects. When the adminis- 
trative part of the health data system was described to the 
Committee, repeated reference was made to the advantages of 


knowing that a patient has previously been treated for an emotional | Z 


° A computer-based information system designed to control the population of a prison 4 


is described in Appendix F. 
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disorder when he shows up at a clinic claiming that he has 
accidentally scratched his wrist on a rusty nail. One hopes that his 
chances of being discharged after some bandaging and a tetanus 
shot are about the same as his chances of being committed for 
treatment as a potential suicide. But are they? Should they be? In 
some other record-keeping environment, could an individual depend 
on having someone equivalent to a trained medical practitioner 
available to make such a judgment? 

Finally, it is important to note that the health data system has 
grown very rapidly, that elements like the “high risk” categori- 
zation were not present in the beginning, and that the health 
facility is now trying to improve its method of identifying patients 
for the purpose of updating and retrieving the information it main- 
tains about them. In this particular situation, the Social Security 
number happens to be considered a poor identification device 
because many patients are thought to have more than one; but the 
patients also tend to have several different names, so the managers 
of the data system are trying to develop their own unique number- 
ing scheme cross-referenced with all known “aliases” for each 


patient. 
Scheduling, labelling, monitoring, improved methods of identify- 


ing records about individuals—these are being discussed in some 
quarters today as if they were mere tools for delivering services to 
people efficiently. In the health data system just described, the 
surveillance component is regarded as a way of providing preventive 
health care; of taking preemptive steps to halt the natural 
development of illnesses and conditions conducive to illness. It is 
hard to quarrel with those objectives, or for that matter with the 
objectives of a great many data systems now in Operation or being 
planned. Should a national credit-card service be prohibited from 
using a sophisticated personal data system to prevent its card 
holders from going on irresponsible spending sprees?’° Should 
school districts be forbidden to use personal data systeins to help 
prevent children from becoming delinquents? 

These are difficult questions to answer. Often the immediate 
costs of not using systems to take preemptive action against 


?°For a cogent description of how this is done, see James B. Rule, Private Lives and 
Public Surveillance (London: Allen Lane), 1973, especially Chapter 6. See also Robert A. 
Hendrickson, The Cashless Society (New York: Dodd, Mead & Company), 1972. 
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individuals can be estimated (in both dollars and predictable social 
disruption), while the long-term costs of increasing the capacity of 
organizations to anticipate, and thus to control, the. behavior of 
individuals can be discussed only speculatively. One fact seems 
clear, however; systems with preemptive potential are typically 
developed by organizations, and groups of organizations, who see 
them primarily as attractive technological solutions to complex 
social problems. The individuals that the systems ultimately affect, 
the people about whom notations are made, the people who are 
being labelled and numbered, have, by comparison, a very weak role 
in determining whether many of these systems should exist, what 
data they should contain, and how they should be used. 


The Net Effect on People 


Today it is much easier for computer-based record keeping to 
affect people than for people to affect computer-based record 
keeping. This signal observation applies to a very broad range of 
automated personal data systems. When a machine tool produces 
shoddy products, the reaction of consumers (and of government 
regulatory agencies in some cases) is likely to give the factory 
managers prompt and strong incentives to improve their ways. This 
is much less likely to be the case when computerized record-keeping 
operations fail to meet acceptable standards. 

There is some evidence that in commercial settings competition 
helps to prevent harmful or insensitive record-keeping practices, 
especially when a record-keeping organization (a bank, for instance) 
depends on continuous interaction with individual data subjects in 
order to keep its own records straight. It is also true that a number 
of schools and colleges have been forced to abandon automated 
registration and scheduling by determined student campaigns to 
fold, spindle, and mutilate. In governmental settings, however, the 
dissatisfied data subject usually has nowhere else to take his 
business and can even be penalized for refusing to cooperate. The 
result, of course, is that many organizations tend to behave like 
effective monopolies, which they are. 

It is no wonder that people have come to distrust computer- 
based record-keeping operations. Even in non-governmental set- 
tings, an individual’s control over the personal information that he 
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gives to an organization, or that an organization obtains about him, 
is lessening as the relationship between the giver and receiver of 
personal data grows more attenuated, impersonal, and diffused. 
There was a time when information about an individual tended to 
be elicited in face-to-face contacts involving personal trust and a 
certain symmetry, or balance, between giver and receiver. Nowa- 
days an individual must increasingly give information about himself 
to large and relatively faceless institutions, for handling and use by 
strangers—unknown, unseen and, all too frequently, unresponsive. 
Sometimes the individual does not even know that an organization 
maintains a record about him. Often he may not see it, much less 
contest its accuracy, control its dissemination, or challenge its use 
by others. 

In more than one opinion survey, worries and anxieties about 
computers and personal privacy show up in the replies of about one 
third of those interviewed. More specific concerns are usually 
voiced by an even larger proportion.'’ The public fear of a “Big 
Brother” system, in effect a pervasive network of intelligence 
dossiers, focuses on the computer, but it includes other marvels of 
twentieth-century engineering, such as the telephone tap, the 
wireless microphone, the automatic surveillance camera, and the 
rest of the modern investigator’s technical equipage. Such worries 
seem naive and unrealistic to a data-processing specialist, but as in 
the case of campus protests against computerized registration 
systems, the apprehension and distrust of even a minority of the 
public can grossly complicate even a safe, straightforward data— 
gathering and record-keeping operation that may be of undoubted 
social advantage. 

It may be that loss of control and confidence are more significant 
issues in the “computers and privacy” debate than the organiza- 
tional appetite for information. An agrarian, frontier society 
undoubtedly permitted much less personal privacy than a modern 
urban society, and a small rural town today still permits less than a 
big city. The poet, the novelist, and the social scientist tell us, each 
in his own way, that the life of a small-town man, woman, or family 
is an open book compared to the more anonymous existence of 


11 See, for example, A National Survey of the Public’s Attitudes Toward Computers 
(AFIPS-TIME, Inc.) 1971. This survey is discussed in Alan F, Westin and Michael A. Baker, 
Databanks in a Free Society (New York: Quadrangle Books), 1972, pp. 465-485. 
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urban dwellers. Yet the individual in a small town can retain his 
confidence because he can be more sure of retaining control. He 
lives in a face-to-face world, in a social system where irresponsible 
behavior can be identified and called to account. By contrast, the 
impersonal data system, and faceless users of the information it 
contains, tend to be accountable only in the formal sense of the 
word. In practice they are for the most part immune to whatever 
sanctions the individual can invoke. 


As every man goes through life he fills in a number of 
forms for the record, each containing a number of 
questions. ... There are thus hundreds of little threads 
radiating from every man, millions of threads in all. If 
these threads were suddenly to become visible, the 
whole sky would look like a spider’s web, and if they 
materialized as rubber bands, buses, trams and even 
people would all lose the. ability to move, and the 
wind would be unable to carry torn-up newspapers or 
autumn leaves along the streets of the city. They are 
not visible, they are not material, but every man is 
constantly aware of their existence. ...Each man, 
permanently aware of his own invisible threads, 
naturally develops a respect for the people who 
manipulate the threads. 
Alexander Solzhenitsyn, 
Cancer Ward 


Reprinted with the permission of Farrar, Straus & Giroux, Inc. from Cancer Ward by 
Alexander Solzhenitsyn, English translation of Part I © The Bodley Head Ltd. 1968; Part 
HI © The Bodley Head Ltd. 1969. 


Experience should teach us to be most on our guard 
to protect liberty when the Government's purposes 
are beneficent. Men born to freedom are naturally 
alert to repel invasion of their liberty by evil-minded 
rulers. The greatest dangers to liberty lurk in insidious 
encroachment by men of zeal, well-meaning but 
without understanding. 


Justice Louis D. Brandeis, 
Olmstead y. United States, 1928 
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Safeguards for Privacy 


There is widespread belief that personal privacy is essential to 
our well-being—physically, psychologically, socially, and morally. 
Concern about the effects of computerized personal data systems 
centers on their threat to privacy. Safeguards must therefore focus 
on the protection of persona! privacy. 

The rationale for the safeguards that we will recommend is set 
forth in this chapter. In it we take account of existing legal 
constraints on the invasion of personal privacy through record 
keeping, and of the role that records play in the relationship 
between individuals and record-keeping organizations. 


Personal Privacy, Record Keeping. and the Law 


Some suggest that the risks presented by automated personal 
data systems call for a Constitutional amendment, or a general 
legislative enactment, which would clearly and with certainty 
establish personal privacy as an explicit legal right. Others, no less 
committed to the protection of personal privacy, contend that 
existing law will evolve naturally to meet whatever challenges to 
privacy may result from computer-based record-keeping practices. 
In the latter view, the enactment of an explicit, general right of 
personal privacy, whether Constitutionally or by statute, would not 
only provide no greater protection than is already latent in the 
common law of privacy, but also would create uncertainty and 
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confusion that the courts are ill-suited to resolve. 

Although the Constitution of the United States does not 
mention a right to privacy, and only three State Constitutions 
(Alaska, California, and South Carolina) make explicit provision for 
a right of privacy, various aspects of personal privacy have been 
protected against government action by judicial interpretation of 
certain provisions of the Bill of Rights. The First Amendment 
guarantees free speech, a free press, and freedom of assembly and 
religion; the Third Amendment prohibits quartering soldiers in 
private homes; the Fourth Amendment prohibits unreasonable 
searches and seizures; the Fifth Amendment protects against 
compulsory self-incrimination; and the Ninth Amendment guaran- 
tees that nights not enumerated in the Constitution are retained by 
the people. Courts have construed these protections of the Bill of 
Rights to uphold the individual’s right not to be coerced into 
revealing political, social, or philosophical beliefs, or private 
associations, unless national security or public order are at stake. 
The issues in many cases are clearly rooted in concerns for personal 
privacy, but the courts have.articulated their decisions in terms of 
Bill of Rights guarantees. The Supreme Court, however, has 
recognized a right of privacy as the basis for protecting the freedom 
of individuals to practice contraception, to read or look at 
pornography at home, and to have an unwanted pregnancy termi- 
nated. 

Courts have also developed principles in the common law to 
allow suits for invasion of privacy in various situations involving 
financial or reputational injury of one person by another. There is 
little evidence, however, that court decisions will, either by 
invoking Constitutional rights or defining common law principles, 
evolve general rules, framed in terms of a legal concept of personal 
privacy, that will protect individuals ageinst the potential adverse 
effects of personal-data record-keeping practices. Indeed, there are 
many court decisions in which seemingly meritorious claims that 
could have been sustained by recognizing a right of privacy were 
denied because the courts would not permit such a right to override 
other legal considerations. 

Although there is a substantial number of statutes and regula- 
tions that collectively might be called the “law of personal-data 
record keeping,” they do not add up to a comprehensive and 
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consistent body of law. They reflect no coherent or conceptually 
unified approach to balancing the interests of society and the 
organizations that compile and use records against the interests of 
individuals who are the subjects of records.! 

The Federal Reports Act? and the so-called “Freedom of 
Information Act,’*® taken together, come as close as any enact- 
ments to providing a framework for Federal policy in this area. 
However, they are limited in application to agencies of the Federal 
government; they deal in a limited fashion with only two aspects of 
record-keeping practice—data collection and data dissemination; 
and they contain scant and potentially inconsistent protections for 
the interests of individual record subjects. 

The Federal Reports Act requires that Federal agencies, with 
several significant exceptions, obtain concurrence from the Office 
of Management and Budget before collecting “information upon 
identical items, from ten or more persons.” The Act was designed 
chiefly to help business enterprises. Its main purposes are to 
minimize the ‘‘burden” upon those required to furnish information 
to the Federal government; to minimize the government’s data- 
collection costs; to avoid unnecessary duplication of Federal 
data-collection efforts; and to maximize the usefulness to all 
Federal agencies of the information collected. Although concern for 
the interests of individuals can be discerned in its administration, 
the Act itself makes no mention of personal privacy. It neither 
creates nor recognizes any rights for individuals with respect to the 
personal-data record-keeping practices of the Federal government. 

The Freedom of Information Act mandates disclosure to the 
public of information held by the Federal government. It barely 
nods at the interest of the individual record subject by giving 
Federal agencies the authority to withhold personal data whose 
disclosure would constitute a clearly unwarranted invasion of 
privacy. The Act, however, is an instrument for disclosing informa- 
tion rather than for balancing the conflicting interests that surround 
the public disclosure and use of personal records. The Act permits 


* Appendix G contains a review of law that bears on the collection, storage, use, and 


dissemination of information by the Department of Health, Education, and Welfare. 
944 U.S.C. 3501-3511. 
35 U.S.C. 552. 
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exemption from mandatory disclosure for personal data whose ] 
disclosure would constitute a “clearly unwarranted invasion of & 
personal privacy,” but the agency is given total discretion in ® 
deciding which disclosures meet this criterion. The Act gives the data @ 
subject no way at all to influence agency decisions as to whether ¥ 


and how disclosure will affect his privacy.* 


Many of the States have similarly broad “public records” or & 


“freedom of information” statutes whose objective is to assure 
public access to records of State government agencies. Most of 


them, however, provide no exceptions from their general disclosure & 


requirements in recognition of personal privacy interests. We 
discovered no State law counterparts to the Federal Reports Act. 


By and large, one finds that record-keeping laws and regulations f 


at all levels of government are limited and specific in their 


application. The requirements and prohibitions they impose apply ’ 


to particular types of organizations, records, or record-keeping 


practices. They seldom go further than to stipulate that particular f 


records shall be maintained and made accessible to the public, to 


particular officials, or for particular purposes, or that particular — 


records shall be subject to confidentiality constraints. No body of 


statutory or administrative law establishes rights for individual 4 
record subjects or other rules of general application governing — 
personal-data record-keeping practices, whether manual or auto- — 


mated. 
Nor should we look to court decisions to develop such general 
rules. Courts can only decide particular cases; their opportunity to 


establish legal principle is limited by the nature of litigation arising | a 
from controversies between parties. Few cases that raise the broad § 


issues posed by all personal-data record keeping have been brought 
before the courts, and fewer that focus those issues on computer- 
based systems. There are several possible explanations for this. 


One possibility is that nobody has been hurt enough or has felt & 
sufficiently aggrieved by current record-keeping practices to bring —& 
suit. Another is that record-keeping and data-processing practices 
are not an overt or well understood function of institutions, 4 q 


‘The privacy implications of the Freedom of Information Act and its application to : 4 
computer-based record-keeping systems are discussed in Arthur R. Miller, The Assault on 4 E. 


Privacy (Ann Arbor: University of Michigan Press), 1971, pp. 152-161. 
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whether governmental or private. Their adverse effects may not 
have been recognized. The individual affected may never discover 
that the root of his difficulties with an institution was some piece 
of information about him in a record. This is one reason for the 
section in the Fair Credit Reporting Act® that requires than an 
individual be notified when an adverse action, such as denial of 
credit, insurance, or employment, is taken on the basis of a report 
from a consumer-reporting agency. 

Still another possibility is that unless injury to the individual can 
be translated into reasonably substantial claims for damages, the 
individual ordinarily has little incentive to undertake a lawsuit. Few 
people can afford to bring suit against a well-defended organization 
solely for moral satisfaction. 

Record-keeping practices have ancient and predominantly honor- 
able traditions, as we have seen. Historically, their social utility has 
seldom been questioned. Only when record-keeping systems can be 
shown to have caused actual injury, to have created problems with 
serious Constitutional implications, or to be in conflict with clear 
statutory requirements, are courts likely to interfere with their 
operation. As a consequence, government data systems appear, 
under existing law, to be virtually immune to constraint through 
suits by individual data subjects; private-sector systems appear no 
less so. The personal-data record-keeping operations of private 
organizations are unlikely to give rise to Constitutional issues and 
are typically not subject to statutory requirements.° The judicial 
process, in short, seems functionally ill-suited to initiating develop- 
ment of general common law rules relating to record-keeping 
practices. 

The foregoing analysis leads us to conclude that the natural 
evolution of existing law will not protect personal privacy from the 
risks of computerized personal data systems. In our view the 
analysis also disposes of any expectation that enactment of a mere 


515 U.S.C. 1681-1681t (1970). 
* The Fair Credit Reporting Act is a notable exception. 
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right of personal privacy would afford such protection.? The 
creation of such a right without precise and elaborate definition of 


its intended significance would not overcome the obstacles in the ¥ 


judicial process that hinder recognition of personal privacy in 
relation to record keeping. The development of legal principles 
comprehensive enough to accommodate a range of issues arising out 
of pervasive social operations, applications of a complex tech- 
nology, and conflicting interests of individuals, record-keeping 
organizations, and society, will have to be the work of legislative 
and administrative rule-making bodies. 


A Redefinition of the Concept of Personal Privacy 


Our review of existing law leads to the conclusion that 
agreement must be reached about the meaning of personal privacy 
in relation to records and record-keeping practices. It is difficult, 
however, to define personal privacy in terms that provide a con- 
ceptually sound framework for public policy about records and 
record keeping and a workable basis for formulating rules about 
record-keeping practices. For any one individual, privacy, as a value, 
is not absolute or constant; its significance can vary with time, 
place, age, and other circumstances. There is even more variability 
among groups of individuals. As a social value, furthermore, privacy 
can easily collide with others, most notably free speech, freedom of 
the press, and the public’s “right to know.” 

Dictionary definitions of privacy uniformly speak in terms of 
seclusion, secrecy, and withdrawal from public view. They all 
denote a quality that is not inherent in most record-keeping 
systems. Many records made about people are public, available to 
anyone to see and use. Other records, though not public in the 


7From this conclusion we should not be understood to be unaware of the potential 
significance of an unqualified right of personal privacy—either Constitutionally or by 
statute. We know of at least one instance in which the existence of such a right in a State 
constitution served as the basis for the State’s Attorney General to deny access to certain 
public records whose disclosure was not explicitly provided for in the governing State 
statutes. We would support enactment of a right of personal privacy for many reasons, but 
not as the only or best way to protect personal privacy in computer-based record-keeping 
systems. 


Safeguards for Privacy 39 


sense that anyone may see or use them, are made for purposes that 
would be defeated if the data they contain were treated as 
absolutely secluded, secret, or private. Records about people are 
made to fulfill purposes that are shared by the institution 
maintaining them and the people to whom they pertain. Notable 
exceptions are intelligence records maintained for criminal investi- 
gation, national security, or other purposes. Use of a record about 
someone requires that its contents be accessible to at least one 
other person—and usually many other persons. 

Once we recognize these characteristics of records, we must 
formulate a concept of privacy that is consistent with records. 
Many noteworthy attempts to address this need have been made. 


Privacy is the claim of iridividuals, groups, or institutions to determine 
for themselves when, how, and to what extent information about them is 
communicated to others.® 


... this is the core of the “right of individual privacy” —the right of the 
individual to decide for himself, with only extraordinary exceptions in 
the interests of society, when and on what terms his acts should be 
revealed to the general public.® 


The right to privacy is the right of the individual to decide for himself 
how much he will share with others his thoughts, his feelings, and the 
facts of his personal life.'° 


As a first approximation, privacy seems to be related to secrecy, to 
limiting the knowledge of others about oneself. This notion must be 
refined. lt is not true, for instance, that the less that is known about us 
the more privacy we have. Privacy is not simply an absence of 
information about us in the minds of others; rather it is the control we 
have over information about ourselves.*? 


The significant elements common to these formulations are (1) 
that there will be some disclosure of data, and (2) that the data 


® Alan F, Westin, Privacy and Freedom (New York: Atheneum), 1967, p. 7. 
§ Ibid., p. 373. 


1° Office of Science and Technology of the Executive Office of the President, Privacy 


and Behavioral Research (Washington, D.C., 1967), p. 8. 
** Charles Fried, “Privacy,” The Yale Law Journal, Vol. 17 (1968), p. 482. 
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subject should decide the nature and extent of such disclosure. An 
important recognition is that privacy, at least as applied to 
record-keeping practices, is not inconsistent with disclosure, and 
thus with use. The further recognition of a role for the record 
subject in deciding what shall be the nature and use of the record is 
crucial in relating the concept of personal privacy to record-keeping 
practices. 

Each of the above formulations, however, speaks of the data 
subject as having a unilateral role in deciding the nature and extent 
of his self-disclosure. None accommodates the observation that 
records of personal data usually reflect and mediate relationships in 
which both individuals and institutions have an interest, and are 
usually made for purposes that are shared by institutions and 
individuals. In fact, it would be inconsistent with this essential 
characteristic of mutuality to assign the individual record subject a 
unilateral role in making decisions about the nature and use of his 
record, To the extent that people want or need to have dealings 
with record-keeping organizations, they must expect to share rather 
than monopolize control over the content and use of the records 
made about them. 

Similarly, it is equally out of keeping with the mutuality of 
record-generating relationships to assign the institution a unilateral 
role in making decisions about the content and use of its records 
about individuals. Yet it is our observation that organizations 
maintaining records about people commonly behave as if they had 
been given such a unilateral role to play. This is not to suggest that 
decisions are always made to the disadvantage of the record subject; 
the contrary is often the case. The fact, however, is that the record 
subject usually has no claim to a role in the decisions organizations 
make about records that pertain to him. His opportunity to 
participate in those decisions depends on the willingness of the 
record-keeping organization to let him participate and, in a few 
instances, on specific rights provided by law. 


Here then is the nub of the matter. Personal privacy, as it relates 


to personal-data record keeping must be understood in terms of a 
concept of mutuality. Accordingly, we offer the following formula- 
tion: 


An individual’s personal privacy is directly affected by the 
kind of disclosure and use made of identifiable information 
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about him in a record. A record containing information 
about an individual in identifiable form must, therefore, be 
governed by procedures that afford the individual a right to 
participate in deciding what the content of the recerd will 
be, and what disclosure and use will be made of the 
identifiable information in it, Any recording, disclosure, and 
use of identifiable personal information not governed by 
such procedures must be proscribed as an unfair infor- 
mation practice unless such recording, disclosure or use is 
specifically authorized by law. 


This formulation does not provide the basis for determining a 
priori which data should or may be recorded and used, or why, and 
when. It does, however, provide a basis for establishing procedures 
that assure the individual a right to participate in a meaningful way 
in decisions about what goes into records about him and how that 
information shall be used. 

Safeguards for personal privacy based on our concept of 
mutuality in record-keeping would require adherence by 
record-keeping organizations to certain fundamental principles of 
fair information practice. 


e There must be no personal-data record-keeping systems 
whose very existence is secret. 


e There must be a way for an individual to find out what 
information about him is in a record and how it is used. 


e There must be a way for an individual to prevent 
information about him obtained for one purpose from being 
used or made available for other purposes without his 
consent. 


e There must be a way for an individual to correct or 
amend a record of identifiable information about him. 


e Any organization creating, maintaining, using, or 
disseminating records of identifiable personal data must 
assure the reliability of the data for their intended use and 
must take reasonable precautions to prevent misuse of the 
data. 
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These principles should govern the conduct of all personal-data 
record-keeping systems. Deviations from them should be permitted 
only if it is clear that some significant interest of the individual data 
subject will be served or if some paramount societal interest can be 
clearly demonstrated; no deviation should be permitted except as 
specifically provided by law. 


Mechanisms for Providing Safeguards 


Many mechanisms have been suggested for providing safeguards 
against the potential adverse effects of automated personal-data 
systems. Those who believe a general right of personal privacy 
should be established, by Constitutional amendment or by statute, 
propose, in effect, that the courts should be the mechanism. 
Although we have concluded that a general right of privacy is not a 
reliable approach to achieving effective protection, the safeguards 
we recommend in the following chapters of this report would rely 
in part on the courts. 

Some have proposed that there be a public ombudsman to 
monitor automated personal data systems, to identify and publicize 
their potential for adverse effects, and to investigate and act on 
complaints about their operation. We note with approval the efforts 
of the Association for Computing Machinery, and of many business 
firms and newspapers, to provide ombudsman service to the victims 
of computer errors. We believe the benefits of this approach are 
many and would like to see it extended to more systems. However, 
the ombudsman concept is basically remedial and will, therefore, 
work best in the context of established rights and procedures. 
Furthermore, the function is not well understood or widely 
accepted in America, and some observers feel it has severe 
limitations in the context of American legal, political, and 
administrative traditions. 

The “strongest” mechanism for safeguards which has been 
suggested is a centralized, independent Federal agency to regulate 
the use of all automated personal data systems. In particular, it has 


been proposed that such an agency, if authorized to register or 3 


license the operation of such systems, could make conformance to 


specific safeguard requirements a condition of registration or 4 
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licensure. The number and variety of institutions using automated 
personal data systems is enormous. Systems themselves vary greatly 
in purpose, complexity, scope of application, and administrative 
context. Their possible harmful effects are as much a product of 
these features as of computerization alone. We doubt that the need 
exists or that the necessary public support could be marshalled at 
the present time for an agency of the scale and pervasiveness 
required to regulate all automated personal data systems. Such 
regulation or licensing, moreover, would be extremely complicated, 
costly, and might uselessly impede desirable applications of 
computers to record keeping.!? 

The safeguards we recommend require the establishment of no 
new mechanisms and seek to impose no constraints on the 
application of electronic data-processing technology beyond those 
necessary to assure the maintenance of reasonable standards of 
personal privacy in record keeping. They aim to create no obstacles 
to further development, adaptation, and application of a technol- 
ogy that, we all agree, has brought a variety of benefits to a wide 
range of people and institutions in modern society. 

The proposed safeguards are intended to assure that decisions 
about collecting, recording, storing, disseminating, and using iden- 
tifiable personal data will be made with full consciousness and 
consideration of issues of personal privacy—issues that arise from 


‘2 These comments point up what we regard to be the deficiencies of a regulatory 
approach that would constitute a single Federal agency as the regulatory body. They are 
not intended to discourage the development of regulation in specific, limited areas of 
application of computer-based record-keeping systems. For example, where particular 
institutions or societal functions are already subject to regulation, e.g., public utilities, 
common carriers, insurance companies, hospitals, it well may be that an effective way to 
introduce and enforce safeguard requirements would be through the public agencies that 
regulate such institutions. Such an approach has been adopted with respect to the 
credit-reporting industry (see discussion, Chapter IV, p. 69). 


Many municipal governments have been exploring regulatory or quasi-regulatory mechan- 
isms for applying safeguard requirements to so-called “integrated municipal information 
systems.” The efficacy of such mechanisms has not yet been demonstrated; however, we 
know of several that appear promising in conception. In addition, at both State and local 
government levels, efforts are being made to regulate the use of criminal justice 


;... information systems. 


508-625 O - 73 - & 


44 RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS 


inherent conflicts and contradictions in values and interests. Our 
recommended safeguards cannot assure resolution of those conflicts 
to the satisfaction of all individuals and groups involved. However, 
they can assure that those conflicts will be fully recognized and that 
the decision-making processes in both the private and public 
sectors, which lead to assigning higher priority to one interest than 
to another, will be open, informed, and fair. 

The safeguards we will recommend are intended to create 
incentives for institutions that maintain automated personal data 
systems to adhere closely to basic principles of fair information 
practice. Establishment of a legal protection against unfair informa- 
tion practice to embody the safeguard requirements described in 
Chapters TV, V, and VI, will invoke existing mechanisms to assure 
that automated personal data systems are designed, managed, and 
operated with due regard for protection of personal privacy. We 
intend and recommend that institutions should be held legally 
responsible for unfair information practice and should be liable for 
actual and punitive damages to individuals representing themselves 
or classes of individuals. With such sanctions institutional managers 
would have strong incentives to make sure their automated personal 
data systems did not violate the privacy of individual data subjects 
as defined. 

Of greatest importance, from our point of view, the safeguards 
we will recommend give the courts a reliable and generally 
applicable basis for protecting personal privacy in relation to record 
keeping. The legal concept of fair information practice we 
recommend will obviate the need to search for new Constitutional 
doctrines or to invent ways of extending the existing common law 
of privacy to cover situations for which it is conceptually iJJ-suited. 


The Costs of Safeguards 


The safeguards we recommend will not be without costs, which 
will vary from system to system. The personal-data record-keeping 
practices of some organizations already meet many of the standards 


called for by the safeguards. The Social Security Administration, | 3 


eR speed rail transportation systems. Such computer applications do not typically require 


for example, maintains a record of earnings for each individual in 
the Social Security system, and each individual has the legal right to 
learn the content of his record. Procedures have been set up to 
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allow an individual to find out easily what is in his record and to 
have the record corrected if it is wrong. Disclosure of an individual’s 
record outside the system is forbidden, except under certain limited 
circumstances prescribed by statute and regulation, and there are 
criminal penalties for unauthorized disclosure. An individual is 
given notice and opportunity for a hearing when the record is being 
changed at the initiative of the Social Security Administration. 
These protections are a normal part of Social Security adminis- 
tration and, in our view, demonstrate the feasibility of building 
such safeguards into any system when the system’s managers are 
strongly committed to do so. 

We believe that the cost to most organizations of changing their 
customary practices in order to assure adherence to our recom- 
mended safeguards will be higher in Management attention and 
psychic energy than in dollars. These costs can be regarded in part 
as deferred costs that should already have been incurred to protect 
Personal privacy, and in part as insurance against future problems 
that may result from adverse effects of automated personal data 
systems. From a practical point of view, we can expect to reap the 
full advantages of these systems Only if active public antipathy to 
their use is not provoked.!3 

The past two decades have given America intensive lessons in the 
difficulty of trying to check or compensate for undesirable 
side-effects stemming from headlong application and exploitation of 
complex technologies, Water pollution, air pollution, the annual 
highway death toll, suburban sprawl, and urban decay are all 
unanticipated consequences of the too narrowly conceived and 
largely unconstrained applications of technology. Hence, it is 


*3In addition to maintaining and using records of personal information, computer 
technology is a tremendous new force for development in many ways, Already, for 
example, computers are controlling traffic on city streets and highway systems, and in the 
air; supplementing human judgment in making medical diagnoses; monitoring air pol- 
lution; predicting the weather; and even acting as surrogates for human decision makers in 
controling large electrical power systems, industrial manufacturing processes, and high- 


identifiable information about people. That which is required is limited and need be 


E a retained for only a short time. Thus the social risks from computer systems such as these 
¢ ‘are beyond the scope of this report. 
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essential now for organizational decision makers to understand why § 
they should be sensitive to issues of personal privacy and not permit ; 


their organizations unilaterally to adopt computer-based 


record-keeping practices that may have adverse effects on indi- g 
viduals. They must recognize where conflicts are likely to arise @iR: 
»etween an individual’s desire for personal privacy and an organiza- 3a 
tion’s record-keeping goals and behavior. They must recognize that # 
although individuals and record-keeping organizations do have cer- @ 
tain shared purposes, they also have other purposes—some of which #& 
are mutual, though not perceived as such, and some of which can be 4 q 


in direct conflict. 


Record-keeping organizations must guard against insensitivity to JF 
the privacy needs and desires of individuals; preoccupied with their 
own convenience or efficiency, or their relationships with other -& 
organizations, they must not overlook the effects on people of their 4 
record-keeping and record-sharing practices. They have the power — 
to eliminate misunderstanding, mistrust, frustration, and seeming & 


unfairness; they must learn to exercise it. 


I know everybody's income and what everybody earns; 
And I carefully compare it with the income-tax returns; 


To everybody's prejudice I know a thing or two; 
I can tell a woman's age in half a minute—and I do! 


Yet everybody says I am a disagreeable man! 


And I can’t think why! 


King Gama in Gilbert and Sullivan’s 
Princess Ida 
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This chapter contains general recommendations for all personal 


- data systems and safeguard requirements for administrative personal 


7 data systems used as such. Chapter V contains additional safeguard 


Recommended Safeguards for 
Administrative Personal Data 
Systems 


Our inquiry has Jed us to distinguish two categories of personal ; : 


data systems that deserve separate attention in developing safe- 
One consists of administrative systems; the other of # 


guards. 
statistical-reporting and research systems. The essential distinction 4 
between the two categories is functional. An administrative * 
personal data system maintains data on individuals for the purpose : 
of affecting them directly as individuals—for making determinations * 
relating to their qualifications, character, rights, opportunities, or 
benefits. A statistical-reporting or research system maintains data 
about individuals exclusively for statistical reporting or research, 
and is not intended to be used to affect any individual directly.’ 


11n our brief review of the history of record keeping in Chapter 1, we took note of the 
origins and existence of intelligence records. These should be thought of as a type of 3 
administrative personal data system, since inteBigence records are maintained about people’ 
for the purpose of affecting them directly as individuals. We have not, however, examined 4 
intelligence record-keeping systems as such, and it was not with such systems in mind that’ 
we developed the safeguard recommendations set forth in this chapter. At the end of theg 
chapter, we have included a brief statement about the application of our safeguards to’ 
intelligence records. q 
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requirements for statistical-reporting and research applications of 
administrative systems. Systems maintained exclusively for statisti- 


cal reporting or research and safeguard requirements for them are 


addressed in Chapter VI. 

Although our specific charge has been to analyze problems of 
automated systems, our recommendations could wisely be applied 
to all personal data systems, whether automated or manual. 
Computer-based systems magnify some record-keeping problems 
and introduce others, but no matter how data are stored, any 
maintenance of personal data presents some of the problems 
discussed in Chapters II and IH. Moreover, the distinction between 
an automated and a non-automated system is not always easy to 
draw; requiring safeguards for all personal data systems eliminates 
the need to mle on ambiguous cases. Uniform application of 
safeguards to all systems will also facilitate conversion from manual 
to automated data processing when it does occur. 

We define an automated personal data system as a collection of 
records containing personal data that can be associated with 
identifiable individuals, and that are stored, in whole or in part, in 
computer-accessible files. Data can be “associated with identifiable 


- individuals” by means of some specific identification, such as name 


or Social Security number, or because they include personal 


f° characteristics that make it possible to identify an individual with 


reasonable certainty. “Personal data” include all data that describe 
anything about an individual, such as identifying characteristics, 
measurements, test scores; that evidence things done by or to an 
individual, such as records of financial transactions, medical 
treatment, or other services; or that afford a clear basis for inferring 
personal characteristics or things done by or to an individual, such 
as the mere record of his presence in a place, attendance at a 


Meeting, or admission to some type of service institution. “‘Com- 


uuter-accessible’’ means recorded on magnetic tape, magnetic disk, 
agnetic drum, punched card, or optically scannable paper or film. 
A “data system” includes all processing operations, from initial 
lection of data through all uses of the data. Data recorded on 
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questionnaires, or stored in microfilm archives, are considered part 
of the data system, even when the computer-accessible files 
themselves do not contain identifying information. 

Consistent with the rationale set forth in Chapter III, we 
recommend the enactment of legislation establishing a Code of Fair 
Information Practice for all Automated personal data systems. 


« The Code should define “fair information practice” as 
adherence to specified safeguard requirements. (Safeguard 
requirements for administrative personal data systems are 
set out below; those for statistical-reporting and research 
systems will be found in Chapter VI.) 


e The Code should prohibit violation of any safeguard 
requirement as an “unfair information practice.” 


e The Code should provide that an unfair information 
practice be subject to both civil and criminal penalties. 


e The Code should provide for injunctions to prevent 
violation of any safeguard requirement. 


e The Code should give individuals the right to bring suits 
for unfair information practices to recover actual, liqui- 
dated, and punitive damages, in individual or class actions. 
It should also provide for recovery of reasonable attorneys’ 
fees and other costs of litigation incurred by individuals 
who bring successful suits. 


Pending the enactment of a code of fair information practice, we 


recommend that all Federal agencies (i) apply the safeguard 


requirements, by administrative action, to all Federal systems, and 4 
(ii) assure, through formal rule making, that the safeguard require- 
ments are applied to all other systems within reach of the Federal 4 
government’s authority. Pending the enactment of a code of fair } 
information practice, we urge that State and local governments, the 
institutions within reach of their authority, and all private 
organizations adopt the safeguard requirements by whatever. means 4 
are appropriate. Labor unions, for example, might find the ; 
application of the safeguards to employee records an appropriate i 


issue in collective bargaining. 
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reafeguards for Administrative Personal Data Systems 


rtstablishing Automated Personal Data Systems 

Ti 

a We were not charged with developing ‘criteria for determining 
y when and for what purposes to establish personal data systems. It is 
ra oubtful that any such criteria are feasible or warranted. Our 
“inquiry, however, has prompted us to make cautionary observations 
Fto those who must decide whether, when, and how to establish 
automated personal data systems. . ~ 

The general proposition that records and record-keeping systems 
are desirable and useful does not necessarily apply to every system. 
pSome data systems appear to serve no clearly defined purpose; some 
pappear to be overly ambitious in scale; others are poorly designed; 
and still others contain inaccurate data. 

* Each time a new personal data system is proposed (or expansion 
pel an existing system is contemplated) those responsible for the 
é tivity the system will serve, as well as those specifically charged 
th designing and implementing the system, should answer 
"2 plicitly such questions as: 


¢ What purposes will be served by the system and the data to 
a ; be collected? 


fe How might the same purposes be accomplished without 
PA rr collecting these data? 


ee If the system is an administrative personal data system, are 
wy, the proposed data items limited to those necessary for 
making required administrative decisions about individuals 
as individuals? 


Is it necessary to store individually identifiable personal 
f~ data in computer-accessible form, and, if so, how much? 


Is the length of time proposed for retaining the data in 
identifiable form warranted by their anticipated uses? 


careful consideration of questions such as these might avert the 
blishment of some systems. Even if a proposed system survives a 
ching examination of the need for it, the very process should at 
t suggest limitations on the collection and storage of data. 
ormalized administrative procedures and requirements should 
ollowed to assure that questions about the purposes, scope, and 
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to the interest of individuals in having the requirement imposed. 
poocietal interest,” moreover, should not be construed as equiva- 
ent to the convenience or efficiency of organizations that maintain 
Hata systems, the preference of a professional group, or the welfare 
@f individual data subjects as defined by system users or operators. 
y eebting policies that guide the handling of personal data should 
‘i Riot be uncritically accepted or reaffirmed. Nor should the basic 
least common denominator” quality of the safeguards discourage 
Ha -making bodies, or organizations maintaining personal data 
ystems, from providing individuals greater protection than the 
eafeguards offer. Existing laws or regulations that provide pro- 
mections greater than the safeguards should be retained; those that 
) provide less protection should be amended to meet the standards 
piby the safeguards. 


utility of systems are raised and confronted before systems arg 
established or enlarged. Members of the public should also have an 
opportunity to comment on systems before they are created. 

It is especially important that such procedures be followe@ 
whenever data collection requirements, imposed by any Feder 
department or agency on States, other grantees, or regulated 
organizations, are likely to result in the creation or enlargement o! 
personal data systems. In our view, any such data collectio 
requirement should be established by regulations adopted after thé 
public has been given an opportunity to comment, rather than bj 
less formal means, such as program guidelines or manuals. Adoptiog 
of a regulation also forces a Federal agency to go through a formé 
process of internal justification and executive review. In the case 
Federal data-collection requirements, the notice of any proposed 
regulation should contain a clear explanation of why each item @ 
data is to be collected and why it must be collected and stored ig 
identifiable form, if such is proposed. 


SAFEGUARD REQUIREMENTS FOR . 
ADMINISTRATIVE PERSONAL DATA SYSTEMS 


The Safeguard Requirements gs GENERAL REQUIREMENTS 


Any organization maintaining a record of individually identifiable 
nal data, which it does not maintain as part of an administrative 
automated personal data system, shall make no transfer of any such data to 
% mother organization without the prior informed consent of the individual to 
jhom the data pertain, if, as a consequence of the transfer, such data will 
ome part of an administrative automated personal data system that is not 
Brij geet to these safeguard requirements. 


An automated personal data system should operate in com 
formity with safeguard requirements. that, as stated above, shoul 
be enacted as part of a code of fair information practice. It # 
difficult to formulate safeguard requirements that will assure, if 
every system, an appropriate balance between the interest of thi 
individual in controlling information about himself and all oth@ 
interests—institutional and societal. However, because the saf¢ 
guards we recommend are so basic to assuring fairness in persong 
data record keeping, any particular system, or class of systemg 
should be exempted from any one of them only for strong ang 
explicitly justified reason. 

If organizations maintaining personal data systems are left free th 
decide for themselves when and to what extent to adhere fully 
the safeguard requirements, the aim of establishing by law a ba 
code of fair information practice will be frustrated. Thug 
exemptions from, or modifications of, any of the safeguag 
requirements should be made only as specifically provided t& 
statute, and there should be no exemption or modification unless# 
societal interest in allowing it can be shown to be clearly paramouy 


other safeguard requirements for administrative personal data 
ms have been formulated to apply only to automated systems. 
ggested earlier, the safeguards would wisely be applied to all 
onal data systems that affect individuals directly, whether or 
hey are automated. If this is not done, however, it is necessary 
sure that individuals about whom an organization maintains 
pids of personal data, which are not part of an automated 
m, will be protected in the event that personal data from those 
erds are transferred to automated systems. Requirement /.A. is 
ded to provide such protection by requiring that transfers of 
nal data to automated systems not subject to the safeguard 
ements be made only with the informed consent of the 
iduals to whom the data pertain. 
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Punitive action against any individual who brings to the 
attention of appropriate authorities, the press, or any member 
of the public, evidence of unfair information practice; 


The requirement is formulated so as not to apply to transfers of 
personal data that are not in individually identifiable form, e.g., for 
statistical reporting. (Transfers of individually identifiable data to 
automated systems used exclusively for statistical reporting and’ 
research are covered in Chapter VI, p. 97.) 


- The employees of an organization must not be penalized for 
‘attempting to prevent or expose violations of the safeguard 
Frequirements. Organizations maintaining systems must assure their 
r employees that no harm will come to them as a consequence of 
bringing evidence of poor practice or willful abuse to the attention 
fof parties who are willing and prepared to act on it. 

a A personal-data record-keeping system is often one of the least 
f visible aspects of an organization’s operations. Organization man- 
. agers are sometimes ignorant of important facets of system 
Operations, and individual clients or beneficiaries often do not 
F perceive how their difficulties in dealing with an organization may 
‘stem from its record-keeping practices. Furthermore, systems tend 
to be designed, developed, and operated by sizable groups of 
F specialists, no one of whom has a detailed understanding of how 
Feach system works and of all the ways in which it can be abused. 
PThis diffusion of responsibility, and of practical knowledge of 
psystem characteristics, makes the integrity of computer-based 
record-keeping systems especially dependent on the probity of 
psystem personnel. Efforts by associations of data processing 
,specialists to gain nationwide adherence to a code of professional 
thics attest to the importance of this aspect of system operations. 


B. Any organization maintaining an administrative automated personal data 4 
system shall: j 


(1) Identify one person immediately responsible for the system, 
and make any other organizational arrangements that are 
necessary to assure continuing attention to the fulfiliment of 
the safeguard requirements; 


The obligation to identify a person responsible for the system. is 4 
intended to provide a focal point for assuring compliance with the} 
safeguard requirements and to guarantee that there will be someone 
with authority to whom a dissatisfied data subject can go, if other! 
methods of dealing with the system are unsatisfactory. Systems that 
involve more than one organization may present special problems in} 
this respect, and must be carefully designed to assure that a data} 
subject is not shuffled from one organization to another when he 
seeks to assert his rights under these requirements. 


(2) Take affirmative action to inform each of its employees 
having any responsibility or function in the design, develop- 
ment, operation, or maintenance of the system, or the use of 
any data contained therein, about all the safeguard requirements 
and aff the rules and procedures of the organization designed to 
assure compliance with them; 


(4) Take reasonable precautions to protect data in the system 
from any anticipated threats or hazards to the security of the 
system; 


4 The purpose of requirement (4) is to assure that an organization 
Fmaintaining an automated personal data system takes appropriate 
ecurity precautions against unauthorized access to data in the 
roy stem, including theft or malicious destruction of data files. 


This requirement takes account of the fact that the actions of, 
many people, with diverse responsibilities and functions located in} 
different parts of an organization, affect the operations of an: 
automated personal data system. Often these people lack a common 
understanding of the possible consequences for the system of their, 
separate actions. If an organization is to comply fully and; 
efficiently with the safeguard requirements, its employees will have] 
to be made thoroughly aware of all the rules and procedures the 
organization has established to assure compliance. 


(5) Make no transfer of individually identifiable personal data 
to another system without (i) specifying requirements for 
security of the data, including limitations on access thereto, and 
{ii) determining that the conditions of the transfer provide 
substantial assurance that those requirements and limitations 
will be observed—except in instances when an_ individual 
specifically requests that data about himself be transferred to 
another system or organization; 


(3) Specify penalties to be applied to any employee who 
initiates or otherwise contributes to any disciplinary or other 
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accuracy and fairness in any determination relating to an 
individual’s qualifications, character, rights, opportunities, or 
benefits that may be made on the basis of such data; and 


Requirement (5) is intended to provide protection against any 
additional risks to data security resulting: from transfer of data from 
one system to another, or from the establishment of regular data 
linkages between systems. To comply with this requirement, an 
organization would have to be able to demonstrate that it had 
carefully followed procedures deliberately designed to assure that 
the security conditions for a data transfer, including transmission | 
facilities and the data security features and access limitations of the j 
system receiving the data, conform to specified expectations of the 
transferring organization and its data subjects. In combination with 
safeguard requirement // (3) (pp. 61-62, below), which requires an 4 
organization to obtain the informed consent of individual data | 
subjects before permitting data about them to be put to uses that 
exceed their reasonable expectations, this requirement would, for 
example, prevent the sale of data files by one organization to j 
another without the consent of the data subjects if the security: 
features and access limitations of the purchasing organizations were | 
such as to open the possibility of uses not anticipated by the data: 
subjects. The exception in requirement (5) is intended to accommo- 
date the possibility that an individual may need or want his record, 
or data therefrom, to be made available to another organization 
even though such transfer may entail risks of security or access that} 
the transferring organization would not undertake or permit, andj 
could not, consistent'with this safeguard. 


(8). Eliminate data from computer-accessible files when the data 
are no longer timely. 


Requirements (7) and (8) are intended to reduce the number of 
instances in which individuals are adversely affected by poorly 
j conceived, poorly executed, or excessively ambitious uses of 
automated personal data systems. Because specific deficiencies in 
F individual records will constitute evidence that requirement (7) has 
' been violated, the effect of the requirement will] be to make an 
organization as alert to isolated errors as it is to sources of recurring 
‘ errors. To assure alertness, giving high priority to periodic retraining 
j of system personnel and the suitability of their working conditions 
} is essential. In addition, the organization may find that regular 
‘evaluation is needed of its data collection procedures and of the 
F accuracy with which data are being converted into computer- 
F accessible form. If particular data are being reproduced for use by 
| another system or organization, steps may also have to be taken to 
} apprise the receiving organization of subtle pitfalls in interpreting 
ithe data. 
Requirement (7) will discourage organizations from attempting to 
handle more data than they can adequately process and should also 
preduce the likelihood that computer-based ‘‘dragnet” operations 
Will injure, embarrass, or otherwise harrass substantial numbers of 
Findividuals. Requirement (8) will promote the development of 
F data-purging schedules that reflect the reasonable useful life of each 
Fcategory of data. Although the requirement would not prohibit the 
retention of data for archival purposes, it would assure that 
pobsolete data are not available for routine use. 


(6) Maintain a complete and accurate record of every access to 
and use made of any data in the system, including the identity 
of all persons and organizations to which access has been given; 


This requirement will contribute significantly to an organiza: 
tion’s capacity to detect improper dissemination of personal data. It? 
is not intended to include ordinary system housekeeping entries, 
such as updating of files, undertaken in the course of normalj 
maintenance by system personnel. To facilitate its compliance with 
requirement III (4) (p. 62, below), an organization should consider, 
assuring that records of access to and use of data are part of, or are} 
easily associable with, the records of individuals that are accessed 


and used. 


HI: Public Notice Requirement 


fF Any organization maintaining an administrative automated personal data 
p system shall give public notice of the existence and character of its system once 
5 cach year. Any organization maintaining more than one system shall publish 
ch annual notices for all its systems simultaneously. Any organization 
Eproposing to establish a new system, or to enlarge an existing system, shall give 


(7) Maintain data in the system with such accuracy, complete- Beas . 4 
Public notice long enough in advance of the initiation or enlargement of the 


ness, timeliness, and pertinence as is necessary to assure 
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(1} The name of the system; b¢ ystem shall: 


(1) Inform an individual asked to supply personal data for the 
system whether he is legally required, or may refuse, to supply 
the data requested, and also of any specific consequences for 
him, which are known to the organization, of providing or not 
providing such data; 


(2) The nature and purpose(s) of the system; 


(3) The categories and number of persons on whom data are (to 
be) maintained; 


(4) The categories of data (to be) maintained, indicating which 


categories are (to be) stored in computer-accessible files; : F 20.63 ? 
8 ( ) P ? This requirement is intended to discourage organizations from 


Fprobing unnecessarily for details of people’s lives under circum- 
Fstances in which people may be reluctant to refuse to provide the 
mequested data. It is also intended to discourage coercive collection 
of personal data that are to be used exclusively for statistical 
reporting and research. (Secondary statistical-reporting and research 
applications of administrative personal data systems are the subject 
efChapter V.) 


(5) The organization’s policies and practices regarding data 
storage, duration of retention of data, and disposal thereof; 


(6) The categories of data sources; 


(7) A description of all types of use (to be) made of data, 
indicating those involving computer-accessible files, and includ- 
ing all classes of users and the organizational relationships 
among them; 


(8) The procedures whereby an individual can {i) be informed 
if he is the subject of data in the system; (ii) gain access to such 
data; and (iii) contest their accuracy, completeness, pertinence, 
and the necessity for retaining them; 


(9) The title, name, and address of the person immediately 
responsible for the system. 


The requirement for announcing the intention to create 0 
enlarge a system stems from our conviction that public involvemef 
is essential for fully effective consideration of the pros and cons 
establishing a personal data system. Opportunity for public involvg 
ment must not be limited to actual or potential data subjects; 
should extend to all individuals and interests that may have view 
on the desirability of a system. 

We have not specified a uniform mechanism for giving notice, bf 
rather expect all reasonable means to be used. In the Federg 
government, we would expect at least formal notice in the Federg 
Register as well as publicity through other channels, includig 
mailings and public hearings. We would expect State and loc 
governments to use whatever comparable mechanisms are availabg 
to them. For other organizations maintaining or proposing system 
arrangements such as newspaper advertisements may be apprg 
priate. Whatever methods are chosen, an organization must ha¥ 
copies of its notices readily available to anyone requesting them. 4 


(2) Inform an individual, upon his request, whether he is the 
subject of data in the system, and, if so, make such data fully 
available to the individual, upon his request, in a form 
comprehensible to him; 


r_ We considered having this requirement provide that an individual 
be informed that he is a data subject, whether or not he inquires. It 
Reems to us, however, that such a requirement could be needlessly 
meurdensome to some organizations, particularly if the character of 
their operations makes it likely that an individual will know that he 
AS subject of data in one or more systems—for example, systems 
hat mail their customers monthly statements. Furthermore, since 
our objective is to specify a set of fundamental “least common 
Kienominator” standards of fair information practice, we concluded 
hat it would be sufficient to guarantee each individual the right to 
g Bscertain whether he is a data subject when and if he asks to know. 
F We would, however, urge that organizations take the initiative to 
if iiform individuals voluntarily that data are being maintained about 
mem, especially if it seems likely that the individuals would not be 
Kade fully aware of the fact as a consequence of normal system 


subjects as a consequence of providing data about themselves in an 
a lication, the form could describe the records that will be 
maintained about them. 


B! 
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OD erations. For example, in systems where individuals become data 
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This requirement affords an individual about whom data are ' 
maintained in a system the right to be informed, and the right to ° 
obtain a copy of data, only if he may be affected individually by % 
any use made of the system. For example, employees about whom 4 
earnings data are maintained in individually identifiable form in 
records kept by their employers would have these rights, but * 
individuals appearing collaterally in records, such as an employee’s | 
dependents or character references, would have the rights afforded 9% 
by this requirement only if they could be affected by the uses made 3% 


of the records in which they appear. 


We recognize that the right of an individual to have full access to 4 
data pertaining to himself would be inconsistent with existing ’ 
practice in some situations. The medical profession, for example, *’ 
often withholds from a patient his own medical records if? 
knowledge of their content is deemed harmful to him; school 4 
records are sometimes not accessible to students; admission to 4 
schools, professional licensure, and employment may involve % 
records containing third-party recommendations not commonly ' 


made available to the subject. 


As indicated earlier (pp. 52-53, above), exemption from any one # 
of the safeguard requirements should be only for a strong and } 
explicitly justified reason. Thus, existing practices restricting an } 
individual’s right to obtain data pertaining to himself should be 4 
continued only if an exemption from the requirement of full access } 


is specifically provided by law. 
Reassessment of existing practices that deprive individuals of full 


access to data recorded about themselves will be one of the most 4 


significant consequences of establishing safeguard requirement [I 
(2), Many organizations are likely to argue that it is not in the 


interest of their data subjects to have ‘full access. Others may | 
oppose full access on the grounds that it would disclose the content $ 
of confidential third-party recommendations or reveal the identity | 
of their sources. Still others may argue that full access should not | 
be provided because the records are the property of the organiza- 3 
tion maintaining the data system. Such objections, however, are j 


inconsistent with the principle of mutuality necessary for fair 


information practice. No exemption from or qualification of the 4 
right of data subjects to have full access to their records should be } 
granted unless there is a clearly paramount and strongly justified 4 


societal interest in such exemption or qualification. 
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If an organization concludes that disclosing to an individual the 
content of his record might be harmful to him, it can point that 
out, but if the individual persists in his request to have the data, he 
should, in our view be given it. The instances in which it can be 
convincingly demonstrated that there is paramount societal interest 
in depriving an individual of access to data about himself would 
seem to be rare. : 

Similarly, we cannot accede in general to the claim that the 
sources of recorded comments of third parties should be kept from 
a data subject if he wants to know them. Disclosure to the data 
subject of the sources of such comments may be difficult for 
organizations that have promised confidentiality. Modifying the 
data subject’s right of access in order to honor past pledges may be 
necessary. However, the practice of recording data provided by 
third parties, with the understanding that the identities of the data 
providers will be kept confidential, should be continued only where 
there is a strong, clearly justified societal interest at stake. 
Elementary considerations of due process alone cast grave doubt on 
the propriety of permitting an organization to make a decision 
about an individual on the basis of data that may not be revealed to 
him or that have been obtained from sources that must remain 
anonymous to him. 


(3) Assure that no use of individually identifiable data is made 
that is not within the stated purposes of the system as 
reasonably understood by the individual, unless the informed 
consent of the individual has been explicitly obtained; 


This requirement is intended to deal with one of the central 
issues of fair information practice—controlling the use of personal 
data. Assume that a system maintains no more personal data than 
reasonably necessary to achieve its purposes. Assume further that 
its purposes are well understood and accepted by the individuals 
about whom data are being maintained, and that all data in the 
system are accurate, complete, pertinent, and timely. The question 
of how data in the system are actually used still remains. 

Because an individual can be adversely affected even by accurate 
data in well-kept records, the use of personal data in a system 
should be held to standards of fairness that minimize the risk that 
an individual will be injured as a consequence of an organization’s 
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Coupled with requirement /(6) (p. 56, above) this requirement 
© would also afford individuals the opportunity to advise those to 
* whom records about them have been disseminated of any cor- 
F rections, clarifications, or deletions that should be made. 


permitting data about him to be used for purposes that differ ’ 
substantially from whatever uses he has been led to expect. The 4% 
public notice called for by safeguard requirement lJ (pp. 57-58, 
above) is intended to assure that when an individual first becomes a ' 
data subject, he will be able to understand the purposes of the % 
system and the types of uses to which data about him will be put. | 
If, however, an organization expands the previously announced §} 
purposes of the system, or enlarges the range of permissible uses of , 
data in identifiable form, it must not only revise its public notice 
for the system, but also must obtain the prior consent of all 3 
existing data subjects. 3 
The objective of requirement J/I(3), in short, is to make it | 
possible for individuals to avoid having data about themselves used - 
or disseminated for purposes to which they may seriously object. 
The requirement applies to all new types of uses, whether they will 3 
be made by the system that initially collected that data or by some 3 
other system or organization to which data are to be transferred. 
Thus it applies (as noted on p. 56, above) to uses that may result 3 
from the transfer to data to a system whose security features and 3 
access limitations open the possibility of uses not anticipated by the 
data subjects. : 


(5) Assure that no data about an individual are made available 
from the system in response to a demand for data made by 
means of compulsory legal process, unless the individual to 
whom the data pertain has been notified of the demand; 


.. . Compulsory legal process” includes demands made in the form 
.. Of judicial or administrative subpoena and any other demand for 
; data that carries a legal penalty for not responding. It should be the 
» Tesponsibility of the person or organization that seeks to obtain 
«data by compulsory legal process to notify the data subject of the 
a demand and to provide evidence of such notification to the system. 
® In instances when it may be more practicable for the system to give 
E Notice of the demand to the data subject, the cost of doing so 
.. Should be borne by the originator of the demand. 

__ The intent of requirement (5) is to assure that an individual will 
S.,know that data about himself are being sought by subpoena, 
ummons, or other compulsory legal process, so as to enable him to 
assert whatever rights he may have to prevent disclosure of the data. 
(4) Inform an individual, upon his request, about the uses made a 

of data about him, including the identity of all persons and 
organizations involved and their relationships with the system; 


(6) Maintain procedures that (i) allow an individual who is the 
subject of data in the system to contest their accuracy, 
completeness, pertinence, and the necessity for retaining them; 
(ii} permit data to be corrected or amended when the individual 
to whom they pertain so requests; and (iii) assure, when there is 
disagreement with the individual about whether a correction or 
amendment should be made, that the individual’s claim is noted 
and included in any subsequent disclosure or dissemination of 
the disputed data. 


This requirement will guarantee the individual an opportunity to , 
find out exactly how and why data about him have been used, and 
by whom. It provides this right for an individual only when he 
makes a request; a general rule requiring an organization to take the j 
initiative in all cases to inform an individual how data about him } 
have been used would often not serve any useful purpose, and j 
might lead, for example, to periodic mass mailings to inform 
individuals of uses of which they are already aware. Nonetheless, , 
there may be instances when data subjects will want to be informed , 
on a regular basis about particular types of data use. It is the intent , 
of this safeguard that an organization provide such service when an , 
individual requests it. 


F It is not the intent of this requirement in any way to relieve an 
F’ organization of the obligation to maintain data in accordance with 
* réquirement I(8) (p. 57, above). Rather, in combination with 
* requirement I(8), it is expected to give an organization maintaining 
* a system strong incentives to investigate and act upon any claim by 
fan individual that data recorded about him are incorrect, insuf- 
’ ficient, irrelevant, or out-of-date. The provision for obtaining 
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injunctions included in the Code of Fair Information Practice (p. % 


50, above) will enable individuals to seek court orders for corrective 
action in regard to their records. 


Relationship of Existing Laws to the Safeguard Requirements 


As we stated earlier in this chapter, existing laws or regulations 
affording individuals greater protection than the safeguard require- 


ments should be retained, and those providing less protection % 


should be amended to meet the basic standards set by the 
safeguards. We have not attempted an exhaustive inventory of 
existing Federal and State statutes that may need to be amended to 


bring them into conformity with the safeguards, but in the course ; 
of our work we have identified two Federal statutes in regard to © 


which we have specific recommendations. 


FREEDOM OF INFORMATION ACT 


The Federal Freedom of Information Act? has a disturbing | 


feature that could be eliminated by means of an amendment quite 


in keeping with the primary purpose of the Act. As noted in 
Chapter III, the main objective of the Freedom of Information | 
Act is to facilitate public access to information about how the ' 
Federal government conducts its activities. The Act contains a | 
broad requirement that information held by Federal agencies be. 
publicly disclosed. Nine categories of information are specifically 
exempted from the Act’s mandatory disclosure requirement. For 
seven of the nine, moreover, disclosure is not prohibited or ; 
otherwise constrained by the Act, and the decision not to disclose is 


left entirely to the discretion of the agency holding the infor- 


mation. The agency is completely free to decide whether it will | 
comply with a request that it disclose information falling within } 


any of the seven exemptions.* 


25 U.S.C. 552 (1970). 


°The remaining two exemptions refer to information that is: “specifically required by 


Executive order to be kept secret in the interest of the national defense or foreign policy;” 4 
and “specifically exempted from disclosure by statute.” Legal prohibitions against 


disclosure of information in these two categories are not affected by the Act. 
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Of the seven discretionary exemptions, those that offer the most 
likely basis for an agency to withhold personal data from the public 


; are: 


trade secrets and commercial or financial information obtained 
from a person and privileged or confidential ; 


personnel and medical files and similar files the disclosure of 
which would constitute a clearly unwarranted invasion of 
personal privacy ; and 


investigatory files compiled for law enforcement purposes 
except to the extent available by law to a party other than an 
agency, 


The Act’s failure to provide for data-subject participation in a 
decision by an agency to release personal data requested under the 
Act is inconsistent with safeguard requirement ///(3) (p. 61, above) 
which calls for an individual’s consent to any unanticipated use of 
data about himself in an administrative automated personal data 
system. Enactment of this requirement would necessitate modifica- 
tion of the Freedom of Information Act to give the data subject a 
voice in agency decisions about public disclosure of information 
covered by the Act, whenever such: disclosure is not within the 
reasonable expectations of individuals about whom a Federal 
agency maintains data in an automated system. 

As we see it, an agency that is the custodian of personal data 
about an individual should not have unilateral discretion to decide 
to grant a request for public disclosure of such data, especially if 
the data fall within one of the exempted categories under the 
Freedom of Information Act. The data custodian should have to 
obtain consent from the data subject before releasing identifiable 
personal data about him from an administrative automated personal 
data system, except in cases where making the requested disclosure 
without the individual’s consent is within the stated purposes of the 
oe as specifically required by a statute. We expect such cases to 

e few. 

Accordingly, we recommend that the Freedom of Information 
Act be amended to require an agency to obtain the consent of an 
individual before disclosing in personally identifiable form exempt- 
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ed-category data about him, unless the disclosure is within the’ 
purposes of the system as specifically required by statute. Pending | 


such amendment of the Act, we further recommend that all Federal 
agencies provide for obtaining the consent of individuals before 


disclosing exempted-category personal data about them under the $ 


Freedom of Information Act. 


If the Act were so amended, its purpose of protecting the | 
public’s “right to know” about the activities of the Federal : 
government would be brought into a better balance with the no less 3 
important public purpose of protecting the personal privacy of | 


individuals who are the subjects of data maintained in the 


automated personal data systems of the Federal government. There j 
may be other areas of conflict between the safeguard requirements } 
and the Freedom of Information Act. The Act should be given a4 
thorough reappraisal with a view to formulating additional amend- g 
ments needed to accommodate the safeguard requirements. An ; 
amended Freedom of Information Act and the Code of Fair ¢ 
Information Practice we have proposed would, in combination, # 
provide an improved statutory framework within which to resolve # 
the unavoidable conflicts between personal privacy and open q 


government. 


FAIR CREDIT REPORTING ACT* 


The Fair Credit Reporting Act is the first Federal statute 3 
regulating the vast consumer-reporting industry. Its basic purpose, § 


as stated in the Act, is 
to insure that consumer reporting agencies exercise their grave 
responsibilities with fairness, impartiality, and a respect for the 
consumer’s right to privacy. 


The consumer-reporting industry is comprised of credit bureaus, q 
investigative reporting companies, and other organizations whose 4 
business is the gathering and reporting of information about F 


individuals for use by others in deciding whether individuals who. 


are the subject of such reports qualify for credit, insurance, or | 
employment. Consumer-reporting agencies typically operate what ' 


#15 U.S.C, 1681-1684. 
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Fwe have called administrative personal data systems, many of which 
Fcontain large quantities of intelligence-type data. Increasingly, these 
systems are being computerized. 
fF The Fair Credit Reporting Act requires consumer-reporting 
Fagencies to adopt reasonable procedures for providing information 
fabout individuals to credit grantors, insurers, employers and others 
Fin a manner that is fair and equitable to the individual with regard 
‘to confidentiality, accuracy, and the proper use of such informa- 
stion. It also places requirements on users of consumer reports and 
 consumer-investigative reports. 
‘ The chief requirements imposed by the Act include the follow- 


Accuracy of Information 


Consumer-reporting agencies must follow reasonable procedures in 
preparing reports to assure maximum possible accuracy of the 
information concerning the individual about whom the report is 
prepared. The. effect of this requirement extends to all the data 
gathering, storing, and processing practices of an agency. 


Obsolete Information 


Certain items of adverse information may not be included in a 
consumer report after they have reached specified “ages” (except in 
connection with credit and life insurance transactions of $50,000 or 
more and employment at an annual salary of $20,000 or more) viz.: 
bankruptcies—14 years; suits and judgments—7 years; paid tax liens—7 
years; accounts placed for collection or written off—7 years; criminal 
arrest, indictment, or conviction—7 years; any other adverse infor- 
mation—7 years. 


Limited Uses of Information 


A consumer-reporting agency may furnish a consumer repost about 
an individual to be used for the following purposes and no other: 

e in response to a court order; : 

e in accordance with written instructions of the individual to 
whom it relates; 

e to determine the individual’s eligibility for (@) credit or 
insurance to be used for personal, family, or household purposes, 
(ii) employment, including promotion, reassignment or retention 
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as an employee; or (iii) a license or other benefit granted by a 
governmental instrumentality required by law to consider an 
applicant’s financial responsibility or status; 

e to meet a legitimate business need for a business transaction 
involving the individual. 

A consumet-reposting agency must take all steps necessary to insure 
that its reports will be used only for the above purposes. 

Notices to Individuals 


Whenever credit, insurance, or employment is denied, or the charge 
for credit or insurance is increased, wholly or partly because of 
information in a report from a consumer-reporting agency, the user of 
the report must notify the individual affected and supply the name 
and address of the agency that made the report. 

Whenever a consumer-reporting agency reports public record infor- 
mation about an individual which may adversely affect his ability to 
obtain employment, it must notify the individual that it is doing so, 
including the name and address of the person to whom the 
information is reported. 

Whenever an investigative report (obtaining information through 
personal interviews with neighbors, friends, associates, or acquaint- 
ances) is to be prepared about an individual, he must be so notified in 
advance unless the report is for employment for which the individual 
has not applied. 


Individual’s Right of Access to Information 


An individual about whom an investigative report is being prepared 
has the right, upon his request, to be informed of the nature and 
scope of the investigation. 

An individual has the right, upon his request, and proper identifi- 
cation, to be clearly, accurately, and fully informed of: (i) the nature 
and substance of all information, except medical information, about 
him in the files of a consumer-reporting agency; (ii) the sources of 
such information, except sources of information obtained solely for 
an investigative report; and (iii) recipients of consumer reports 
furnished about the individual, within 2 prior years for employment 
purposes and within 6 prior months for any other purpose. (The 
individual has this right whether or not adverse action has been 


taken.) - 
Whenever credit is denied, or the charge for it increased, wholly or 


partly because of information obtained from a source other than a 
consumer-reporting agency, the individual affected has the right, upon 
his request, to learn the nature and substance of the information 
directly from its user. 
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Individual’s Right to Contest Information 


If an individual disputes the accuracy or completeness of informa- 
tion in a file maintained about him by a consumer-reporting agency, 
the agency must reinvestigate and record the current status of that 
information, or delete the information if it is found to be inaccurate 
or cannot be reverified. If the reinvestigation does not resolve the 
dispute, the individual has the right to file a brief statement explaining 
the dispute; and the agency must, in any subsequent report containing 
the disputed information, note the dispute and provide at least a clear 
summary of the individual’s statement. 


One reason for describing the Fair Credit Reporting Act in such 
detail is to illustrate the care with which the Congress has 
«responded to the need it found to protect individuals from the 
: adverse effects of unfair information practices in the consumer- 
reporting industry. Although the Congress adopted a regulatory 
K approach in this Act,’ it constitutes a strong precedent for our 
* recommended Code of Fair Information Practice. In regulating the 
“practices of both consumer-reporting agencies and the users of their 
" Teports, the Act, in effect, imposes many of the safeguard 
 tequirements we recommend. 

.. The chief reason for presenting the Fair Credit Reporting Act, 
however, is to illustrate the point that existing laws that provide 
y,greater protection for individuals than our safeguards offer should 
E be retained, while laws that provide less protection should be 
F amended to meet the standards set by the safeguards. Section 
 606(a) of the Fair Credit Reporting Act, 15 U.S.C. 1681d(a), for 
example, requires that an individual be notified that an investigative 
teport is being prepared about him before work on it is begun, 
. whereas safeguard requirement J/(2) (p. 59, above) gives an 
individual the right to be informed that he is the subject of a record 
,. only if he asks to know. In this instance, the Act’s requirement, 
,. responsive to the particular circumstances of the consumer— 
, Yeporting industry, provides the individual with greater protection 
, than our safeguard and should be retained. 


*The Federal Trade Commission has the basic responsibility for enforcing the Act, but 
Where specific types of institutions are already regulated (for other purposes) by other 
F agencies, those agencies are charged with enforcing the Act; e.g., the Comptroller of the 
y Currency (national banks), the Federal Reserve Board (member banks of the Federal 
Reserve Systems other than national banks), the Interstate Commerce Commission 
(common carriers), and the Civil Aeronautics Board (air carriers). 
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Conversely, safeguard requirement ///(2), which also guarantees 
an individual the right to see and obtain copies of data about him, 4 
provides more protection for individuals than Section 609(a) of the 
Fair Credit Reporting Act, 15 U.S.C. 1681g(a). Under the Act’s 
requirement the individual is entitled to be fully informed by a4 
consumer-reporting agency of the content of his record (except 4 
medical information and the sources of investigative information), 3 
but he is not entitled to see, copy, or physically possess his record. 3 
When an individual goes to a consumer-reporting agency to | 
determine what information it has on him, the contents of the 3 
record must be read to him, but he must take the agency’s word j 
that it is telling him about all information in the record, and about 3 
all sources and recipients thereof. We understand that individuals 3 
have found this arrangement generally unsatisfactory, and further, 4 
that as the proportion of “sensitive” or adverse personal data ina 4 
record increases, compliance with the full disclosure requirement * 
tends to diminish. 

To bring Section 609(a) more in line with the protection 
afforded individuals by safeguard requirement III(2), and thus to % 
achieve the objective of the Fair Credit Reporting Act more fully, 3 
we recommend that the Fair Credit Reporting Act be amended to 3 
provide for actual, personal inspection by an individual of his 3 
record along with the opportunity to copy its contents, or to have ! 
copies made. The choice between inspecting and copying should be 4 
left to the individual, and any charge for having copies made should 
be nominal. ; 

We further recommend that the exceptions from disclosure to 4 
the individual now authorized by the Fair Credit Reporting Act for ° 
medical information and sources of investigative information should 
be omitted. It is a disturbing thought that an investigative J 
consumer-reporting agency may have a record of medical infor- 3 
mation that the individual cannot know about or challenge. We 3 
realize that in Section 603(f) of the Fair Credit Reporting Act, 15 
U.S.C. 1681a(f), ‘‘consumer reporting agencies” is defined broadly 
enough to apply to some organizations that are customary and 4 
appropriate repositories of medical information. However, nothing; 
in the Act should warrant the inference that every type of 
organization falling within the umbrella definition of “consumerg 
reporting agencies” may, with impunity, conceal from an individual” 
the fact that it is gathering, recording, and reporting medical;,! 


»* We have explained our skepticism about the propriety of utilizing 
‘anonymous data sources when determinations about an individual’s 
’ Character, qualifications, rights, opportunities, or benefits are being 
f made. Moreover, we find no strong societal interest in having an 
: individual routinely denied credit, insurance, or employment on the 
F basis of information provided by any source that must be kept 
¢Secret from him.® 


Note on Mailing Lists 


_ The use of automated personal data systems to generate mailing 
F fists deserves special comment. Ordinarily such use entails no 
F perceptible threat to personal privacy. Even among individuals who 
strongly object to receiving quantities of so-called “junk mail,” 
nost would probably concede that their objections are not founded 
m any substantial claim that personal privacy has been invaded. 
Indeed, it is hard to see how the mere delivery of an item of mail to 
F an individual, even though it is addressed to him by name, in itself 
‘entails an offensive or harmful disclosure or use of personal data. 
* More important than the end use of the mailing list itself is the 
P question of the original source of the personal data from which the 
‘list was originally assembled. In most cases, commercial mailing lists 
P are made up of names and addresses gathered during the course of 
Fr commercial transactions. In the most typical case, buying an item 
ri through the mail assures that the buyer’s name will be added to the 
hist of a commercial dealer in names, and that the list will in turn 
sold, rented, and traded through a chain of further commercial 
ers. This exploitation of names may occasionally be irritating, 
; there is little potential for substantial disclosure of closely held 
“personal information, since nothing beyond name and address was 
robably revealed in the first place. 
A more serious threat to personal privacy arises when mailing 
F'lists are compiled from sources that have nothing to do with 
F’ commercial interests—the membership list of a professional society, 


‘Experience under the Fair Credit Reporting Act should be carefully assessed to 
mtify other amendments necessary to assure the effectiveness of its intended 
‘otections for individuals, For an analysis of deficiencies of the Act, see ‘‘Protecting the 
F'Subjects of Credit Reports,” The Yale Law Journal, Vol. 80, No. 5 (April, 1971), pp. 
; , : #035-1069. 

information about him. 4 : 
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will of a large number of agencies of the government; opposition from the 
Postal Service, from motor vehicle registrars, or from the Census Bureau, to 
F name a few examples, would seriously hamper the industry on its present scale. 
Fit seems likely that a scandal involving public records, or the development of a 
F public allergy to direct-mail advertising, would lead to government moves to 
2 put constraints on the industry. 

Constructive publicity toward emphasizing the rights of the individual 
F relative to direct-mail advertising, especially the methods the industry has 
a ‘adopted for getting off and getting on the larger lists, would go far in 
F’ strengthening these feedback mechanisms that already operate. In particular, 
F the Direct Mail Advertising Association’s Mail Preference Service deserves wider 
tention. 

F~ If feedback mechanisms stronger than those provided by the economics of 
F'the industry should become desirable, there would be formidable practical 
difficulties in applying the Committee’s safeguards to the freewheeling small 
Foperators of the direct-mail industry. The most directly applicable of the 
“€ommittee’s safeguards is the requirement for the informed consent of the 
ita subject to be obtained before any collateral use may be made of data from 
Fan administrative personal data system. To accomplish this, forms that are used 
by the system in transactions with individuals (applications, for example) and 
;. that are vulnerable to mailing-list uses, could be printed with a block in which 
F the individual—by his deliberate action—could indicate whether or not his 
name and address could be sold or otherwise transferred to another data 
system for mailing-list use. Of course, this could not prevent his name and 
address from being copied by hand out of a public record system, but the cost 
MOf such handcopy ing would sharply curtail much commercial use. 

In view of the controls already at work in the direct-mail advertising 
dustry, this limited application of the Committee’s safeguards seems 
fficient. It would provide protection to individuals from having their names 
funexpectedly appear on mailing lists without their consent. We doubt the 
peutility and feasibility of trying to make the rest of the Committee’s proposed 
risafeguard requirements apply to the mailing list as such, as a form of 
F administrative automated personal data system, or to organizations that deal 
F only in mailing lists. If the contro! of mailing lists is to be undertaken by law, it 
F should be done by legislation that is directed specifically to that purpose. 

"If the foregoing analysis of the situation underestimates the felt need for 
greater mailbox privacy, it would be feasible to undertake specific legislative 
Faction against the direct-mail advertising industry to provide greater pro- 
Ptections, as the regulation of information practices in the consumer-reporting 
P industry amply demonstrates. 


the faculty roster of a college, or the donor list of a charity. Int 
these cases, data furnished for one purpose are being used for 
another, and even though the original source may not have} 
contained more than the name and address, the mere fact of being’ 
on the list may reveal something about one’s private life. 
More serious still are lists derived from actual administrative data4 
systems. There is the strong probability that the original source, 
contained data that might well be intensely personal and that names 
will be selected for mailing lists on the basis of such data. The data 
files for driver licenses, for instance, usually contain medically 
information on disabilities. The administrative files of schools 
contain grades and other personal items. Any use of files such as! 
these for any but the original intention carries a clear danger 7 
exploitation of truly private personal information. ‘4 
The Committee staff studied the structure and practices of the’ 
mailing-list industry to gauge the threats to personal privacy that’ 
could arise from that source, as well as to examine the applicability 
of the safeguard requirements to the industry. The report of the’ 
study is presented in Appendix H; an abstract of its conclusions,’ 
which we fully endorse, is given here: q 
An underlying function of the Advisory Committee’s recommended safe- 3 
guards is to provide effective feedback mechanisms that will help to make, 
automated personal data systems more responsive to the interests of, 
individuals. Systems maintained by most government agencies, and by many, 
private organizations, do not provide for tight links between individuals andg 
the system operators. The direct-mail industry, however, is largely organized 
around the idea of public feedback; the trade press concentrates almost, 
obsessively on methods for maximizing response and minimizing complaints. 
Because most mailings draw a response from only 3 or 4 percent of they 
addressees, a small change in the response rate can have relatively large 
economic implications for the mailer. The same is true for the compilers and, 
brokers of mailing lists, because the price a list commands in the rental marketd 
depends not so much on its demographic sophistication as on its accuracy and; 
freshness. Lists are cleaned by adding a special imprint to the mailing which, 
gives the Postal Service authority to correct and return (at first-class rates) alld 
undeliverable pieces. Since it costs about four times as much to discover and 
correct a “‘nixie” as it does to make a clean mailing in the first place, there is a, 
powerful economic incentive to concentrate lists on known buyers at addresses, 
of known accuracy. 4 
Another feedback .mechanism operates on the industry as a whole,, 
Direct-mail advertising is strongly dependent for survival on the official good; 


SI eee ee 


see: 


were 


74 RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS 4 4 Safeguards for Administrative Personal Data Systems 75 


A Note on Intelligence Records 
Fis no need for safeguards for personal-data intelligence record- 
“keeping systems. The risk of abuse of intelligence records is too 
great to permit their use without some safeguards to protect the 
» personal privacy and due process interests of individuals. 

The mere gathering of intelligence data can be a serious threat to 
F personal privacy and should be carried out with strict respect for 
F the Constitutional rights of individuals. Once criminal intelligence 
rdata have been compiled, their use in connection with law 
P-enforcement prosecutions is safeguarded by all the Constitutional 
; Tequirements of due process and by laws that establish limitations 
“on the exercise of the police power, including civil and criminal 


In developing safeguard requirements, we have divided personal- 3 
data record-keeping systems into two broad categories, (i) adminis- 
trative systems, and (ii) systems maintained exclusively for statis- | 
tical reporting and research. The distinction between the two is in 
their purpose vis-a-vis individuals. Administrative systems are ! 
intended to be used to affect individuals as individuals; statistical 4 
reporting and research systems are not. According to this classifica-' 
tion, intelligence records are properly considered administrative 4 
records. ; 4 

A chief characteristic of intelligence records is that they are 4 
compiled for purposes that presuppose the possibility of taking ¥ 
adverse action against an individual. Their focus is on providing a’ 
basis for protecting the data-gathering organization, or other! 
organizations that it serves, against the individual. There are many J 
examples of intelligence-type personal-data record-keeping systems. 
From a historical standpoint, the original and classical intelligence 3 
records were those compiled and maintained about individuals who 
were viewed as possible enemies of the state. The most obvious and ‘4 
perhaps most common ones today are those compiled by the’ 
criminal intelligence systems of Federal, State, and local law4 
enforcement agencies about individuals suspected of being engaged 4 
in criminal activities, of being threats to public safety or national# 
security, or of being suitable objects of surveillance and investi-' 
gation for less clearly definable reasons. There are, however, many’ 
other examples of intelligence-type records, including investigative 
records of credit-reporting agencies, private detective agencies, ‘ 
industrial security organizations, and so on. It is hard to know how4 
many types of intelligence data systems exist because their function4 
leads as a rule to careful concealment. 

In framing our proposed safeguard requirements for adminis~* 
trative personal data systems, we did not focus on intelligence’ 
records as such. We realize that if ail of the safeguard requirements4 
were applied to ail types of intelligence records, the utility of many’ 
intelligence-type records for the purposes they are designed to served 
might be greatly weakened. In some instances this would clearly nots 
be a desirable outcome from the standpoint of important soctetai 
interests, such as the apprehension and prosecution of individuals 


F limitations. We have not attempted to assess whether protections 
F how afforded individuals from abuses of intelligence records as used 
& in criminal law enforcement should be strengthened. 

- We are concerned, however, about the use of criminal intelligence 
F data, and intelligence records maintained by organizations other 
*'than law enforcement agencies, for many purposes that involve 
Fdeterminations about the qualifications, character, opportunities, or 
F benefits of individuals to which the protective requirements of due 
P’ process may not apply or for which they may not be fully effective. 
P ‘Such determinations include suitability for employment, especially 
fin public service or in positions of critical fiduciary responsibility ; 
clearance for access to classified national security information held 
eby the Federal government and its contractors; and eligibility for 
various public benefits, permits, and licenses. 

Enactment of the proposed Code of Fair Information Practice 
‘ or administrative personal data systems will afford an excellent 
Feopportunity to determine precisely what protections for individuals 
Fshould be applied to intelligence record-keeping systems. Any 
Fexception from a safeguard requirement that is proposed for any 
Ftype of intelligence system must be specifically sanctioned by 
Fstatute and then only if granting the exception would serve a 
Fsocietal interest that is clearly paramount to the interest served by 
4 aving the requirement imposed. 

: The process of considering exceptions for intelligence systems 
ll entail a careful review of existing policies, laws, and practices 
verning the creation, maintenance, and use of intelligence records 
sabout individuals. The need for such a review has seldom seemed 
smore urgent in the history of our Nation. 
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a engaged in organized crime. It does not follow, however, that there - 


F remedies and penalties that may be imposed to enforce such 
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....4n an information-rich world, the wealth of in- 
formation means a dearth of something else: a scar- 
city of whatever it is that information consumes, 
What information consumes is rather obvious: it con- 
sumes the attention of its recipients. Hence a wealth 
of information creates a poverty of attention and a 
need to allocate that attention efficiently among the 
overabundance of information sources that might 
consume it. 


“He had been kicked in the head when young and 
believed everything he read in the Sunday Papers.” 


George Ade, Fables in Slang: 
The Slim Girl 


Herbert Simon, “Designing 
Organizations for an 
Information-Rich World.”* 


*In Martin Greenberger (Ed.), Computers, Communication, and the Public Interest (Baltig 
more, Md.: The Johns Hopkins Press), 1971, pp. 40-41. : 
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s. An organization also needs to plan for the future. A firm selling 
io the public is interested in knowing what the public wants, or can 
Be persuaded to want. A school needs to know about the financial 
mad intellectual capabilities of students coming to it for learning. A 
Hovernment agency tries to forecast demand for the services it pro- 
Rides or supports. 
These incentives to develop indicators of institutional perfor- 
Enance make it difficult to control the quantity and variety of per- 
sonal data stored in administrative record-keeping systems, and the 
Statistical-reporting and research uses that are made of such data. 
ithe personal data that organizations collect for administrative pur- 
gses should be limited, ideally, to data that are demonstrably rele- 
want to decision making about individuals. A substantial amount of 
fersonal data, however, appear to be collected because at some 
point someone thought they might be “useful to have,” and found 
they could be easily and cheaply obtained on an application form, 
fr some other record of an administrative transaction. 
> For example, college students applying for government: 
aranteed loans in one State have been required to provide the 
te guarantee agency with data on matters that had no direct 
ion to its individual entitlement decisions. These data, “for our 
stical interest”? as their intended use was described to the Com- 
ittee, included race, marital status, sex, adjusted family income, 
student-reported “average grades received for last term of full- 
me post-high school study.” These data have been used to produce 
fatistical reports for internal agency use, for informal discussions 
h State legislators, and to “run a profile once yearly 
.schools and...lenders to see if there is any odd pat- 
. occurring.”” On one occasion data in the system also have 
used in a study conducted by an outside researcher. For 
ing entitlement decisions, however, the data being collected in 
Excess of those required by law were described to us as not very 
Belpful to the program, and at least two data elements—sex and 
student-reported grades—were said to be absolutely valueless.' 


Statistical-Reporting 
and Research Uses of. 


Administrative Data Systems 


Many automated personal data systems established primarily for 
administrative purposes are also used for statistical reporting and: 
research. Since one advantage of computerizing administrative, 
records is the capability thereby acquired for high-speed data re“ 
trieval and manipulation, a growing number of administrative dataj 
systems will be put to such additional uses. The safeguard recom-j 
mendations in this chapter take account of that expectation. 


Dimensions of the Problem 


A modern organization, as a rule, maintains elaborate records 


an : 
: . ie A E*" A representative of the Stat told i 
about the money it spends, the people it serves, the quantities of ? EE hr ia 


pel a student applicant to provide this information “because we have come to find it is 


goods and services it dispenses, and the number, qualifications, and’ y worthless .... [A]t one time we thought it would be a viable way of sampling the 
salaries of the people who work for it. It does so, in part, because it eype of student we would assist. We determined it is not much use . . . [but w]¢ have not 


must account for its activities to investors or taxpayers, and to 4 aueal 
other organizations that monitor and regulate its behavior. 
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.Our experience indicates that....rigid adherence to 
proper data collection often “‘turns off’ many clients, even 
when the interviewer is ingenious at gathering it. Also coun- 
~ selors often openly resent [having to ask] questions which 
F actually may jeopardize their relationship with a client. 


The student loan case is but one illustration. The presentations of 
system managers and users yielded others. We found that decisions, 
to collect personal data are being made without careful considera-; 
tion of whether they will in fact serve the purposes for which they 
are supposedly being collected. As a result, substantial sums may be; 
spent on comprehensive data collections for purposes that could 
often be much better served by other approaches, such as collecting 
statistical-reporting and research data only from a small sample off 
an organization’s clients or beneficiaries. Most disturbing of all, wa 
found that personal data in excess of those clearly needed for 
making decisions about individuals are sometimes collected in a wa¥ 
that makes them seem prerequisite to the granting of rightsé 
benefits, or opportunities. 


s; Perhaps. most important of all is the intrusive effect of unre- 
pirained data collection on self-esteem. Occasionally one hears that 
.wealthy citizen has hired a chauffeur and limousine to avoid 
misclosing his Social Security number, or some other item of infor- 
mation, to a State Department of Motor Vehicles. One is tempted 
BO dismiss such protests as the trivial antics of rich eccentrics; yet 
y indicate the high cost of trying to escape personal inquiries of 
anizations that monopolize the distribution of certain privileges 
benefits. The plight of the welfare beneficiary is especially 
reme in this respect, but with all the forms that everyone of us is 
pnstantly filling out, it would probably be hard to find a single 
endividual who has not had one occasion at least to wonder, “Why 
Mio they want to know that?” and “What will happen if I refuse to 
3 them?” 

z collecting statistical-reporting and research data in conjunction 
with the administration of service and payment programs is not 
intrinsically undesirable. However, such supplementary data gather- 
should be carefully designed and managed, and should be per- 
ed only with the voluntary, informed cooperation of individual 
respondents. Otherwise only personal data directly and demon- 
3 Erably germane to a decision about any given individual should be 
mallected. 

F Separate collection of data for statistical reporting and résearch 
eOuld have several practical advantages. First, by increasing the cost 
wf supplementary data gathering, it discourages the collection of 
é Bseless items. Second, it might reduce the amount of data that must 
xe specially protected because it is identifiable. Although personal 
fata maintained exclusively for statistical reporting and research 
erten need broader and stronger protection than they are af- 
perded,° differentiating sharply among the purposes and uses of 


Mandatory or Voluntary Data Collection? 


Poorly conceived data collection can result in various kinds of 
injury to individuals. As observed earlier, any file of personal data is’ 
a potential source of harm to individuals when it is used outside itg 
appropriate context, and much of the personal data in adminis-¥ 
trative files either is a public record or is vulnerable to legal process: 

There is also reason to believe that failure to separate informa” 
tion collected for statistical-reporting or research from data used in¥ 
entitlement decisions may cause such decisions to be made unfairly: 
“Race” and “‘sex” are no longer asked on many application forms 
because of their acknowledged influence on some types of decisiom 
making about individuals. There are circumstances in which othe® 
kinds of data may have similarly unwarranted effects.? Moreover, 
:collecting more information than is needed for day-to-day adminis 
trative decisions may discourage people from taking advantage of 
the services an organization offers. As one witness told the Commit= 
tee: 4 


2 For a cogent analysis of the effects of “contextual” information on clinical disability 
determinations, see Saad L. Nagi, Disability and Rehabilitation (Columbus, Ohio: Ohig 
State University Press), 1969, especially Chapters 2 and 9. Discussion of this problem wi] 
also be found in Stanton Wheeler (Ed.), On Record: Files and Dossiers in American Lift 
(New York: Russell Sage Foundation), 1969. 


*The special problems of data maintained exclusively for statistical reporting and 
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data files should encourage public confidence in organizatio an Three conditions that encourage sound use of data systems for 
record-keeping practices and ease the access control burden thaw matistical reporting and research are often absent from the environ- 
now weighs heavily on some system managers. gent in which administrative systems are designed and operated. 
Third, separate collection of personal data for statistical repo Bey are: 
ing and research could help to make the collection process moré Fe knowledge of the social processes by which data come to 
reliable. We learned of instances in which an ambitious informatiof Bbe collected; 
system’s appetite for data has induced careless statistical reporting§ 
This problem appears to be especially prevalent where an informé 
tion system has been established to help coordinate the activities’oj 
a number of small, loosely knit organizations. Such carelessness cag 
frustrate the management objectives of a system by diluting thg results. 
quality of data furnished to it in ways that may not be recognizeg aK rowledge of Data Collection Processes. Detailed understanding 
or, if recognized, may be very difficult to control.* Row and why data come to be collected is often difficult, if not 
Massible, to achieve. For example, not everyone who is eligible 
wblic assistance applies for it, and the amount and kind of 
nation collected from each applicant may vary in subtle 
5 Hence, if data from administrative systems are used for 
al reporting and research, the results must take account of 
atic bias resulting from incompleteness in the data base. 
ring such bias can be expensive and time-consuming, and 
ctions for it can be even harder to make. Highly trained people 
éeded to conduct careful studies of the processes by which 
a system are being generated. Because of their expense and 
ulty, however, and also because they can bring to light 
acies in the overall performance of an organization, such 
s tend not to be done. 


‘ _ management of data collection and analysis by indi- 
pyiduals with strong statistical and research competence; and 


Be-independent expert scrutiny of analytic methods and 


Assuring Sound Secondary Uses of Administrative Data Systems 


Administrative record-keeping operations can and do constitu ig 
rich sources of statistical-reporting and research data’ useful fog 
many purposes. For example, the Federal government uses Interng 
Revenue Service records as a source of data for the quinquennig 
Census of Business and Manufacturers; hospital records are used 
develop research data banks on particular diseases or disabilitieg 
school and college records are used to study the relationship bg 
tween academic performance and subsequent career achievemenf 
Unfortunately, however, the mere existence of an administrativg 
data base can create a strong temptation to use it for statisticg 
reporting and research without sufficient attention to the appropry 


tistical and Research Competence. Because most adminis- 
ateness of doing so. 


e systems are committed to day-to-day record-keeping opera- 
they are seldom managed or staffed by persons with strong 
cal and research competence. It is true that the statistical 
ss of a few large government agencies—notably the Social Secu- 
Administration and the Internal Revenue Service—have sub- 


4 As one representative of a small group of agencies observed in his testimony bet ially influenced the statistical uses made of their principal data 


the Committee: 


Client- (rather than management-} oriented agencies are philosophically committed 4 
to research only secondarily, asa tool for delivering. more effective services. There-,, 
fore, they often must be dragged kicking and screaming into the data collection 3 variations may result from practices rooted in a bureaucratic subculture of 
business. This is totally apart from their finances or their training .... Where 4 the record-keeping operation is but one—albeit important—part. See, for example, 
services are... interfered with, data collection goes out the window. Measurement Berdiscussions of how juvenile court, welfare, credit, and elementary school records are 
error can then be quite high. ; Bicd, in Wheeler, op. cit., Chapters 2, 5, 11, and 12, 
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sources, which are mainly administrative records. Similar examples 
can be found at other levels of government and among private 
organizations, but there are also numerous instances in which such 
statistical and research competence is brought to bear only through 
informal or sporadic consulting arrangements, if at all. 


Independent Scrutiny. Because administrative data systems are 
not created expressly for statistical reporting and research, they also 
tend to lack the strong ties to external groups of data users, and to 


the formal systems of professional peer review that characterize # 


general purpose statistical-reporting and research operations. This 
isolation from independent expert scrutiny, coupled with the man- 
agement orientation of administrative data systems, weakens the 
incentive to maintain high standards in the secondary statistical- 
reporting and research uses that are made of them. 


_ 4 


Neglect of these three conditions is particularly dangerous in a 
governmental setting. In business, the quality of statistical reporting 
and research may be measured by the usefulness of such work to 
the planning and marketing functions that maintain a firm’s com- 
petitive position. In government, however, feedback from the mar- 
ketplace is attenuated. Save for the occasional newsworthy sta- 
tistical report, the ancillary uses of administrative data systems may 
be ignored by outside professionals and invisible to the general 
public and its elected representatives. 

In the Federal Government, formal arrangements for implement- 
ing the Federal Reports Act are supposed to serve as a check on the 
uses made of administrative record-keeping systems for statistical 
reporting and research. However, at other levels of government, the 
low visibility of such uses, coupled with the uneven impact of pub- 
lic information laws, can create an open invitation to misguided use 
of statistical reports and research findings based on administrative 
data. 

We learned, for example, that one agency of a State government 
recently attempted to compare earnings declarations made by some 
public assistance beneficiaries to county welfare offices, with earn- 
ings of those same beneficiaries reported by their employers to a 


second State agency. This complex comparison of data derived q 


from two quite different administrative record-keeping systems was 
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undertaken mainly to verify the beneficiaries’ eligibility for public: 
assistance payments on a case-by-case basis, but it also resulted in a 
statistical report “showing” that a substantial percentage of the 
State’s public assistance beneficiaries were engaged in “apparent 
fraud.” The design of the comparison, and thus the resulting data, 
supported no such conclusion. Few people are aware of its technical 
failings, however, and it seems unlikely that many more will dis- 
cover them, since appropriately documented data from the study 
have not been made available outside the sponsoring State agencies. 


Recommendations 


In light of our inquiry into the statistical-reporting and research 
uses of personal data in administrative record-keeping systems, we 
recommend that steps be taken to assure that all such uses are 
carried out in accordance with five principles. 


First, when personal data are collected for administrative 
purposes, individuals should under no circumstances be co- 
erced into providing additional personal data that are to be 
used exclusively for statistical reporting and research. When 
application forms or other means of collecting personal data 
for an administrative data system are designed, the manda- 
tory or voluntary character of an individual’s responses 
should be made clear.® 


Second, personal data used for making determinations 
about an individual’s character, qualifications, rights, bene- 
fits, or opportunities, and personal data collected and used 
for statistical reporting and research, should be processed 
and stored separately. ” 


®Recall in this regard safeguard requirement III (1), recommended in Chapter IV 
(p. 59, above) for all administrative automated personal data systems; viz., that an indi- 
vidual asked to supply data for a system be informed clearly whether he is legally required 
or free to refuse to provide the data requested, That safeguard, when applied, will effec- 
tively eliminate de facto coercion of data subjects into providing more information than is 
needed for making administrative decisions. 

7 Separating the two types of data in this way would make it easier to apply the 
protection against compulsory disclosure recommended in Chapter VI (pp. 102-103, 
below). 
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Third, the amount of supplementary statistical-reporting 
and research data collected and stored in personally identifi- 
able form should be kept to a minimum. 


Fourth, proposals to use administrative records for statis- 
tical reporting. and research should be subjected to careful 
scrutiny by persons of strong statistical and research com- 


petence. 


Fifth, any published findings or reports that result from 
secondary statistical-reporting and research uses of adminis- 
trative personal data systems should meet the highest stan- 
dards of error measurement and documentation. 


It would be difficult to apply each of these principles uniformly 
to all administrative automated personal data systems. For this rea- 
son, we have not translated them into safeguard requirements to be 
enacted as part of a code of fair information practice. Adherence to 


their spirit, however, is warranted by the growing significance of 


statistical-reporting and research uses of administrative personal 
data systems—both for individual data subjects and for the institu- 
tions maintaining such systems. 

In addition, there are certain safeguards that can be feasibly ap- 


plied to all administrative automated personal data systems used for | 
statistical reporting and research. Specifically, we recommend that ; 


the following requirements be added to the safeguard requirements 
for administrative personal data systems: 


e Under I. General Requirements (Chapter IV, pp. 53-57), add— 


C. Any organization maintaining an administrative automated personal data q 
system that publicly disseminates statistical reports or research findings based 4 


on personal data drawn from the system, or from administrative systems of 
other organizations, shall: 


(1) Make such data publicly available for independent analysis, 
on reasonable terms; and 
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(2) Take reasonable precautions to assure that no data made 
available for independent analysis will be used in a way that 
might reasonably be expected to prejudice judgments about any 
individual data subject's character, qualifications, rights, op- 
portunities, or benefits. 


Under the Public Notice Requirement (Chapter IV, p. 58), 
add— 


(8a) The procedures whereby an individual, group, or organiza- 
tion can gain access to data used for statistical reporting or 
research in order to subject such data to independent analysis. 


The purpose of general requirements -C. (J) and C. (2) is to assure 


_ that when statistical reports or research findings based on personal 
; data from administrative systems are used to affect social policy, 
| the data will be available, in an appropriate form, for independent 


analysis. To comply with this requirement, an organization will 
have to plan carefully all publicly disseminated statistical-reporting 
and research uses of personal data in the administrative systems it 
maintains. 

The public notice for an administrative personal data system will 


d specify any statistical-reporting and research uses to be made of 
f data in the system (requirement JI. (7), p. 58) The additional 


information required by requirement (8a) will make it easier to 


; obtain access to data for independent analysis. 


Sweet Analytics, ‘tis thou has ravished me! 


Marlowe, Faustus , 1, 34 


Vi 


Special Problems of 
Statistical-Reporting and 


+ Research Systems 


When the United States was at war with Japan in 1942, the War 
Department asked the Census Bureau for the names and addresses 


of all Japanese-Americans who were living on the West Coast at the 
, time of the 1940 Census. Persons of Japanese descent were being 
| rounded up and transported inland for fear that some of them 


might prove disloyal in the event of a Japanese attack. Because of 


Title 13 of the U. S. Code, however, which prohibits disclosure of 


census data furnished by individuals, the Census Bureau could, and 


@ did, refuse to give out the names and addresses. 


In 1969, the Mercer County (N.J.) Prosecutor’s Office sub- 
poenaed the payment histories of 14 families participating in an 
income-maintenance experiment being conducted by a private con- 


q tract research organization in Princeton. The prosecutor suspected 


that the families were defrauding the county welfare department by 
not reporting their monthly income from the experiment. The con- 
tractor found that it had no legal basis for resisting the subpoenas, 
even though its federally funded subcontract explicitly provided 


. that “individual personal and financial information pertaining to all 
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individuals and families who participate as respondents in this study 
shall remain strictly confidential.’”! 

The difference between these two cases is clear and fundamental: 
In the Census case, the data were protected by a statute? from 
disclosure in individually identifiable form; in the New Jersey case 
they were not.’ This chapter examines some of the problems posed 
by legally unprotected statistical-reporting and research files that 
contain data about identifiable individuals. It focuses on the need 
to protect individual data subjects from injury through disclosure of 
data about them, on one hand, and, on the other, the need to make 
files of personal data more accessible to persons who can make 
constructive use of the data they contain. 


Background Observations 


When we began our examination of automated record-keeping 
operations, we expected that we could leave out entirely data 


1 David N. Kershaw and Joseph C. Small, “Data Confidentiallity and Privacy: Lessons 
from the New Jersey Negative Income Tax Experiment,” Public Policy, Vol. XX, No, 2 
(Spring 1972), p. 261. The Mercer County dispute stemmed from a change in the State 
public assistance law which made more participants in the experiment eligible for welfare 
than had been the case when the experiment began. The 1969 investigation was termi- 
nated when the contractor agreed to reimburse the county welfare agency for any over- 
payments that came to light. Two years later, however, the experiment was subjected to a 
four-month grand jury investigation of charges that the contractor had “instructed iow- 
income families taking part in the experiment not to report income subsidies to city and 
county welfare authorities ....” /bid., p. 268. During this same period, access to the 
contractor’s files was also sought by the General Accounting Office and the U. S. Senate 
Finance Committee. : 


? The current version of this protection provides that: 


Neither the Secretary, ‘nor any other officer or employee of the Department of Com- 
merce or bureau or agency thereof, may. . .(1) use the information furnished under the 
provisions of this title for any purpose other than the statistical purposes for which it is 
supplied; or (2) make any publication whereby the data furnished by any particular 
establishment or individual under this title can be identified; or (3) permit anyone other 
than the sworn officers and employees of the Department or bureau or agency thereof to 
examine the individual reports. . . .13 U.S.C. 9{a). 


3 The New Jersey case is not unique. At least two other incidents of a similar nature 
have been reported. See John Walsh, ‘‘Anti-poverty R&D: Chicago Debacle Suggests Pit- 
falls Facing OEO,” Science, 165, 19 September 1969, pp. 1243-1245; and “Appeals Court 
Orders MD to Reveal Patients’ Photos,” Psychiatric News, VII:2, November 15, 1972, p. 
1. The latter describes a pending court case involving the New York City Methadone 
Maintenance Treatment Program. 


Statistical-Reporting and Research Systems 91 


systems maintained exclusively for statistical reporting or research. 
We were mindful that in the mid-1960’s a series of proposals* to 
establish a national statistical data center had alerted the public to 
some of the dangers inherent in computer-based record-keeping op- 
erations. We also knew that the Freedom of Information Act con- 
tains no clear statement of Congressional intent with respect to the 
disclosure of individually identifiable data maintained for statistical 
reporting and research. We had assumed, however, that statistical- 
reporting and research data systems, by and large, would not con- 
tain data in personally identifiable form, and that if they did, the 
anonymity of individual data subjects would be protected by spe- 
cific statutory safeguards. We were not prepared for the discovery 
that in many instances files used exclusively for statistical reporting 
and research do contain personally identifiable data, and that the 
data are often totally vulnerable to disclosure through lega) process. 
This holds for data in Federal agency files as well as for data in the 
possession of State agencies and private research organizations. 

Changes in social policy, which computer technology has to some 
extent facilitated, are in large part responsible for the existence of 
unprotected statistical-reporting and research files. Since the late 
1950’s, the Federal Government has been distributing increasingly 
large sums of money to the States on the basis of formulas that take 
account of special population characteristics. The recipient State 
governments, in turn, have been redistributing this money among 
their own political subdivisions, using grant-in-aid formulas that 
tend to generate new requirements for statistical data about people 
at nearly every level of government. Often coupled with these 
grants, moreover, have been planning requirements demanding 
highly detailed information about the populations of small geo- 
graphic areas. 

Program evaluation requirements, first levied on grant-in-aid re- 
cipients by Federal agencies and later explicitly written into some 


4 Report of the Commitiee on the Preservation and Use of Economic Data to the Social 
Science Research Council, April 1965, reprinted as Appendix I in The Computer and 
Invasion of Privacy, Hearings before a Subcommittee of the Committee on Government 
Operations, U. $. House of Representatives, 89th Congress, 2d Session, July 26, 27, 28, 
1966; Statistical Evaluation Report No, 6—Review of Proposal for a National Data Center, 
prepared by Edgar S. Dunn, Jr., also reprinted in The Computer and Invasion of Privacy as 
Appendix 2; and Report of the Task Force on the Storage of and Access to Government 
Statistics (Washington, D.C.: Bureau of the Budget), October 1966. 
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of the agencies’ authorizing legislation, have been a further stimulus 
to the proliferation of statistical-reporting and research files con- 
taining data about people. From their initial emphasis on simple 
input accounting (how much was spent, by whom, for what pur- 
pose, on how many people, with which characteristics ), evaluation 
studies have rapidly come to focus on measuring program effects.‘ 
Because effects measurement usually requires before-and-after data 
on program participants, it has become necessary to preserve indi- 
vidual identities in evaluation research files. Interest in the specific 
events and processes that may account for changes in participant 
behavior over time has also grown along with interest in output 
measurement. Many of the factors that account for a participant’s 
behavior are so subtle that they can only be isolated if records of 
people’s movements and experiences are kept over an extended 
period. 

A third factor that has enlarged the number of data files contain- 
ing information about identifiable individuals is the broad support 
given to fundamental research in the social and biomedical sciences. 
In fact, files for research in these two areas may be the most numer- 
ous of all, and they exist in a variety of settings. Many such files are 
coming into the possession of government agencies as a conse- 
quence of contract arrangements that make agencies the proprietors 
of data generated in government-supported research and demonstra- 
tion projects. Not all of these files contain information that identi- 
fies individual data subjects, but of those that do, the ones dealing 
with controversial social and political issues are particularly vulner- 
able to misuse in the absence of specific statutory safeguards. 


The Need to Protect Data Subjects From Injury 


Even at the Federal level there are few statutes that protect 
personal data in statistical-reporting and research files from unin- 
tended administrative or investigative uses. The Census Act, the 


5There is today a ‘substantial evaluation research literature to which the interested 
reader can refer for a fuller account of how this new government-supported activity has 
developed. See, for example, Edward A. Suchman, Fveluative Research (New York: 
Russell Sage Foundation), 1967; Francis G. Caro, Readings in Evaluation Research (New 
York: Russell Sage Foundation, 1971; and Peter H. Rossi and Walter Williams (Eds.), 
Evaluating Social Programs: Theory, Practice, and Politics (New York and London: 
Seminar Press), 1972. 
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Public Health Service Act, and the Social Security Act are notable 
exceptions. Otherwise there is little to prevent anyone with enough 
time, money, and perseverance (to say nothing of someone who can 
issue or obtain a subpoena) from gaining access to a wealth of 
information about identifiable participants in surveys and experi- 
ments. This should not, and need not, be the case. 

Social scientists and others whose research involves human sub- 
jects are vocal about the importance of being able to assure indi- 
viduals that information they provide for statistical reporting and 
research will be held in strictest confidence and used only in ways 
that will not result in harm to them as individuals. Unless people 
get—and believe—such assurances, they will inevitably become 
either less willing or less reliable participants in surveys and experi- 
ments.® Ideally, data subjects should also be told of the conditions 
under which they are being asked to provide information, and 
should be given an opportunity to refuse if they find those condi- 
tions unsatisfactory. It is often asserted, for example, that the de- 
cennial census (in which response is mandatory) is a feasible under- 
taking only because the public willingly co-operates, and that the 
public’s cooperation is best obtained by explaining to respondents 
the uses to which the data will be put. 

We believe the principle that no harm must come to an individual 
as a consequence of participating in a general knowledge-producing 
activity should be regarded as the essence of “use for statistical or 
research purposes only.” Individual data subjects asked to provide 
data for statistical reporting and research should also be fully in- 
formed, in advance, of the known consequences for them of pro- 
viding or not providing data. Survey respondents and participants in 
experiments and demonstration projects are largely dependent on 
what they are told by interviewers or by explanatory notes on 
forms. Hence, it is incumbent on the institution conducting or 
funding a statistical-reporting or research project to find out how 
vulnerable the data in its files are, and so to inform its data subjects. 

Finally, we believe that the best way to assure that individual 
data subjects will not be harmed is to extend to all personal data 
generated through statistical-reporting and research activities the 


®See Chapter 6, “Privacy and Confidentiality,” in Federal Statistics, the Report of the 
President’s Commission on Federal Statistics (Washington, D.C.: U.S. Government Printing 
Office), 1971. 
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statutory protections that have been given to census data and cer- 
tain classes of health and economic data collected and used in the 
public interest. 


The Need for Freer Access to Data in Government Files 


The obverse of the problem of data confidentiality is the need to 
make basic data more accessible for reuse or reanalysis by all quali- 
fied persons or institutions. Personal data systems for statistical 
reporting and research are largely in the hands of institutions that 
wield considerable power in our society. Hence, it is essential that 
data which help organizations to influence social policy and be- 
havior be readily available for independent analysis. 

The ubiquitous computer has increased both the quantity of data 
potentially available to users and the number of potential users. 
Unfortunately, however, the data dissemination capability of many 
funding and collecting institutions has not grown commensurately. 
Among the general purpose statistical operations of the Federal 
government, the Census Bureau has led the way in making data 
from standard statistical series easily available to users in a form 
that protects the anonymity of respondents. Other agencies, nota- 
bly the National Center for Health Statistics, have followed suit.’ 
The Department of Health, Education and Welfare is currently pre- 
paring a guidebook of its “‘public use”’ data files.® 

Laudable as these efforts are, it should be emphasized that they 
are being made, for the most part, by agencies or offices within 
agencies whose primary mission is statistical reporting and research. 
They do not address the problem of access to the statistical- 
reporting and research files that operating agencies develop in the 
course of evaluating programs or in adding to the general knowledge 
of program administrators. It is true, as noted earlier, that anyone 
with enough money, time, and perseverance can probably gain ac- 
cess to substantial amounts of data not generally available for pub- 
lic use. Yet the individual researcher, or the independent critical 


7National Center for Health Statistics, Standardized Micro-Data Transcripts (Rockville, 


Md.: National Center for Health Statistics), December 1972. 


® Guidebook to the U.S. Department of Health, Education, and Welfare Computer Data 
Files, 1973 (forthcoming), 
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expert, however perseverant, may not even know that important 
data exist, much less where to find them. If he does find them, and 
if he can afford to have them put in usable form, the documenta- 
tion may not be sufficient to permit reconstruction of the condi- 
tions and suppositions under which the data were collected. An 
agency holding data collected under a pledge of confidentiality may 
not be willing to go to the trouble (or may itself not be able to 
afford the cost) of expunging elements that would serve to identify 
individual data subjects in order to make the data available. 

In principle, there need be no conflict between informing the 
public about how the government conducts its business and protect- 
ing individual data subjects from harm. If data cannot be made 
available for reuse or reanalysis without disclosing the identity of 
data subjects, special precautions may have to be taken before 
making basic data accessible to qualified persons outside the collect- 
ing organization, but such precautions can be taken. For example, 
each data subject could be asked at the time of the initial data 
collection if he would consent to participate in a follow-up study, 
on the understanding that consent would be sought anew each time 
a further follow-up study is undertaken. Although such arrange- 
ments may add to the expense and difficulty of some data collec- 
tions, a public institution that uses scientific approaches and 
methods has a duty to make the work it sponsors or supports 
available for critical appraisal. 

Making fully documented data available for reuse and reanalysis 
by persons competent to assess the interpretations that have been 
made of them can bring two benefits. First, the knowledge that 
other investigators will have an early opportunity to challenge its 
conclusions should tend to heighten the quality of the original 
collection and analysis, and second, advances in the sciences may 
produce more powerful techniques of analysis that could make it 
possible to glean additional information from data in the course of 
re-examining them. ; 


Recommendations for Statistical-Reporting and Research Systems 


In Chapter IV, we have recommended enactment of legislation 
establishing a code of fair information practice for all automated 
personal data systems. All the features of that code would apply to 
systems used exclusively for statistical reporting and research. The 
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safeguard requirements to be included in the code for such systems 
are set forth below. They are designed to help protect the individual 
citizen against unintended or unforeseeri uses of information he 
provides exclusively for statistical reporting and research, and to 
help assure that the uses organizations make of statistical-reporting 
and research data are subjected to independent expert review and 
open public discussion. Pending the enactment of a code of fair 
information practice as outlined in Chapter IV, we recommend that 
all Federal agencies (i) apply the safeguard requirements, by admin- 
istrative action, to all Federal statistical-reporting and research 
systems, and (ii) assure, through formal rule making, that the safe- 
guard requirements are applied to all systems within reach of the 
Federal government’s authority. Pending the enactment of a code 
of fair information practice, we also urge that State and local gov- 
ernments, the institutions within reach of their authonity, and all 
private organizations adopt the safeguard requirements by whatever 
means are appropriate. 

In addition, we recommend that all personal data in systems used 
exclusively for statistical reporting and research be protected by 
statute from compulsory disclosure in identifiable form. The safe- 
guard requirements recommended below are premised on the enact- 
ment of legislation granting such protection. There is no require- 
ment, for example, guaranteeing data subjects access to the con- 
tents of records maintained about them. Theoretically, no such 
requirement is needed, since statistical-reporting and research data 
systems are not intended to be used to affect individuals directly; 
granting individuals access to records that can have no direct conse- 
quences for them as individuals would interfere with a system’s 
operations to no useful end. In practice, however, the vulnerability 
of data in many statistical-reporting and research systems to com- 
pulsory disclosure in identifiable form means that for individual 
data subjects to be adequately protected from unforeseen disclo- 
surers, those data must be afforded immunity from disclosure 
through compulsory legal process. 

The safeguard requirements for statistical-reporting and research 
systems are modeled closely on the safeguard requirements for ad- 
ministrative systems in Chapter IV. Hence explanatory notes are 
provided only in those cases where a requirement has been modified 
to fit the special characteristics of statistical-reporting and research 
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systems. Where no notes appear following a requirement, the reader 
should refer to the notes on the corresponding safeguard in Chapter 
IV. 


SAFEGUARD REQUIREMENTS FOR 
STATISTICAL-REPORTING AND RESEARCH SYSTEMS 


I. GENERAL REQUIREMENTS 


A. Any organization maintaining a record of personal data, which it does 
not maintain as part of an automated personal data system used exclusively for 
statistical reporting or research, shall make no transfer of any such data to 
another organization without the prior informed consent of the individual to 
whom the data pertain, if, as a consequence of the transfer, such data will 
become part of an automated personal data system that is not subject to these 
safeguard requirements or the safeguard requirements for administrative per- 
sonal data systems (in Chapter IV). 


All other safeguard requirements for statistical-reporting and 
research systems have been formulated to apply only to auto- 
mated systems, although they would wisely be applied to all 
statistical-reporting and research systems, whether automated 
or manual. If this is not done, however, it is necessary to 
assure that individuals about whom an organization maintains 
records of personal data, which are not part of an automated 
system, will be protected in the event of transfers of such data 
to automated systems. Requirement /.A. is intended toiprovide 
such protection for individuals by requiring that transfers of 
data about them to automated systems not subject to safe- 
guard requirements be made only with their informed consent. 


B. Any organization maintaining an automated personal data system used 
exclusively for statistical reporting or research shall: 


(1) Identify one person immediately responsible for the system, 
and make any other organizational arrangements that are neces- 
sary to assure continuing attention to the fulfillment of the 
safeguard requirements; 
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The obligation to identify a person responsible for the system 
is intended to provide a focal point for assuring compliance 
with the safeguard requirements and to guarantee that there 
will be someone with authority to whom individuals, groups, 
or organizations can go if other methods of dealing with the 
system are unsatisfactory. Systems that involve more than one 
organization may present special problems in this respect, and 
must be carefully designed to assure that a person is not shuf- 
fled from one organization to another when he seeks to assert 
any right under these requirements. 


(2) Take affirmative action to inform each of its employees 
having any responsibility or function in the design, develop- 
ment, operation, or maintenance of the system, or the use of 
any data contained therein, about all the safeguard requirements 
and all the rules and procedures of the organization designed to 
assure compliance with them; 


(3) Specify penalties to be applied to any employee who inti- 
ates or otherwise contributes to any disciplinary or other puni- 
tive action against any individual who brings to the attention of 
appropriate authorities, the press, or any member of the public, 
evidence of unfair information practice; 


(4) Take reasonable precautions to protect data in the system 
from any anticipated threats or hazards to the security of the 
system; 


(5) Make no transfer of individually identifiable personal data 
to another system without (i) specifying requirements for secu- 
rity of the data, including limitations on access thereto, and (ii) 
determining that the conditions of the transfer provide substan- 
tial assurance that those requirements and limitations will be 
observed—except in instances when each of the. individuals about 
whom data are to be transferred has given his prior informed 
consent to the transfer; 


Requirement (5) has basically the same implications for 
statistical-reporting and research systems that it has for admin- 
istrative systems (Chapter IV, p. 56). However, applied to 
statistical-reporting and research systems along with require- 
ment f/I {2)(p. 101, below), requirement (5) will also prevent 
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an organization or a researcher from transferring data in identi- 
fiable form to another organization or researcher who could 
not fully guarantee that the transfer would result in no uses of 
the data not reasonably anticipated by the data subjects. 


(6) Have the capacity to make fully documented data readily 
available for independent analysis. 


This requirement should be understood to mean that data 
whose use helps an organization to influence social policy and 
behavior must be readily available. In cases where independent 
analysis could not be performed without knowing the identity 
of each data subject, a system would be considered fully “‘ca- 
pable” if, for example, it had obtained the consent of each 
data subject to participate in a follow-on study, or had a pol- 
icy of seeking the consent of data subjects on behalf of per- 
sons wanting to perform such independent analysis. 


H. PUBLIC NOTICE REQUIREMENT 


Any organization maintaining an automated personal data system used ex- 
clusively for statistical reporting or research shall give public notice of the 
existence and character of its system once each year. Any organization main- 
taining more than one such system shall publish annual notices for all its 
systems simultaneously. Any organization proposing to establish a new system, 
or to enlarge an existing system, shall give public notice long enough in advance 
of the initiation or enlargement of the system to assure individuals who may be 
affected by its operation a reasonable opportunity to comment. The public 


notice shall specify: 
(1) The name of the system; 
(2) The nature and purpose(s) of the system; 


(3) The categories and number of persons on whom data are (to 
be) maintained; 


(4) The categories of data (to be) maintained indicating which 
categories are (to be) stored in computer-accessible files; 


(5) The organization’s policies and practices regarding data stor- 
age, duration of retention of data, and disposal thereof; 


(6) The categories of data sources; 


(7) A description of all types of use (to be) made of data, 
indicating those involving computer-accessible files, and in- 
cluding all classes of users and the organizational relationships 
among them; 


(8) The procedures whereby an individual, group, or organization can 
gain access to data for independent analyis; 


(9) The title, name, and address of the person immediately re- 
sponsible for the system; 


(10) A statement of the system’s provisions for data confiden- 
tiality and the legal basis for them. 


This requirement has two primary objectives: (1) to assure 
that there will be no automated personal data system whose 
very existence is kept secret from the public; and (2) to assure 
that uses of systems by organizations to help them influence 
social policy or behavior are not immune from independent 
expert scrutiny. Instances will no doubt arise in which an- 
nouncement of a research project prior to undertaking it could 
seriously hamper part of the study. In other instances, the 
scale of a project might be so small, and its influence on social 
policy so remote, that strict compliance with the public notice 
requirement will seem unduly burdensome. For such cases 
some mechanism will have to be devised for granting exemp- 
tions from the public notice requirement. Because of the diver- 
sity of statistical-reporting and research activities that organi- 
zations conduct, sponsor, or support, we have not tried to 
specify criteria for granting exemptions or to prescribe any 
particular mechanism for dealing with requests for exemptions 
on a case-by-case basis. We do feel, however; that the people 
who want to do research that might qualify for an exemption 
should not be asked to bear the full burden of deciding 
whether an exemption is appropriate. 


The matter of exemptions from the public notice require- 
ment is one to which careful attention will have to. be 
addressed when the safeguard requirements are being applied 
by administrative action, andeventually in connection with the 
enactment of legislation establishing the code of fair informa- 
tion practice for statistical-reporting and research systems. 
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We have also refrained from specifying a uniform mecha- 
nism for giving notice. For Federal agencies, we would expect 
formal notice in the Federal Register, but a catalog of data 
files published annually would also suffice. We would expect 
State and local governments to use whatever comparable 
mechanisms are available to them. Other systems may find 
that notices given through professional journals or mailings 
would be appropriate. Whatever methods are chosen, an orga- 
nization must have copies of its notices readily available to 
anyone requesting them. 


iI, RIGHTS OF INDIVIDUAL DATA SUBJECTS 


Any organization maintaining an automated personal data system used 


exclusively for statistical reporting or research shall: 


(1) Inform an individual asked to supply personal data for the 
system whether he is legally required, or may refuse, to supply 
the data requested, and also of any specific consequences for 
him, which are known to the organization, of providing or not 
providing such data; 


As indicated in Chapter IV (p. 59, above), one purpose of this 
requirement is to discourage coercive collection of personal 
data that are to be used exclusively for statistical reporting and 
research. However, the requirement that an individual be in- 
formed of the consequences of providing, or not providing, 
data for a system is also intended to assure that no pledge to 
hold data in confidence will be given by a data-collecting orga- 
nization without apprising each data subject of the legal limita- 
tions, if any, of such a pledge. 


(2)? Assure that no use of individually identifiable data is made 
that is not within the stated purposes of the system as reason- 
ably understood by the individual, unless the informed consent 
of the individual has been explicitly obtained; 


3 This requirement corresponds to requirement III(3) in Chapter IV. 
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(3) Assure that no data about an individual are made available 
from the system in response to a demand for data made by 
means of compulsory legal process, unless the individual to 
whom the data pertain (i) has been notified of the demand, and 
(ii) has been afforded full access to the data before they are 
made available in response to the demand. 


The intent of this requirement is similar to that of require- 
ment III (5), as explained in Chapter IV (p.. 63, above)<Be- 
cause there is no safeguard requirement for statistical-reporing 
and research systems giving an individual the right of access to 
data about himself (as provided in requirement -J// (2) for 
administrative systems), this requirement gives an individual 
that right in the event of a compulsory process demand. The 
need for this requirement would be obviated by enactment of 
legislation providing effective protection against compulsory 
disclosure of identifiable personal data maintained in 
statistical-reporting and research systems. However, until such 
legislation is enacted, or if, when enacted, the legislation leaves 
an organization maintaining such a system any discretion 
whatsoever to waive the protection against compulsory disclo- 
sure, this safeguard should be the minimum, protection af- 
forded individual data subjects. 


Statutory Protection Against Compulsory Disclosure 


A primary goal of safeguard requirements for statistical-reporting 
and research systems must be to protect individual data subjects 
from harm. That goal will be frustrated if, after having been assured 
that the data he provides for a system will be seen only by persons 
formally involved in the statistical-reporting or research project, a 
data subject finds that the data have been disclosed in identifiable 
form in response to a subpoena. 

Statistical-reporting or research data that can be traced to identi- 
fiable individuals should not be subject to compulsory disclosure 
through legal process. In our view, there must be new Federal legis- 
lation protecting against such disclosure, and it should include the 
following features: 
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e The data to be protected should be limited to those used 
exclusively for statistical reporting or research, Thus, the 
protection would apply to statistical-reporting and research 
data derived from administrative records, and kept apart 
from them, but not to the administrative records them- 
selves.’ ° 


e The protection should be limited to data identifiable 
with, or traceable to, specific individuals. When data are 
released in statistical form, reasonable precautions to pro- 
tect against “statistical disclosure’’'' should be considered 
to fulfill the obligation not to disclose data that can be 
traced to specific individuals. 


e The protection should be specific enough to qualify for 
non-disclosure under the Freedom of Information Act 
exemption for matters “specifically exempted from dis- 
closure by statute’ 5 U.S.C. 552 (b) (3). 


¢ The protection should be available for data in the 
custody of all statistical-reporting and research systems, 
whether supported by Federal funds or not. 


¢ The Federal law should be controlling; no State statute 
should interfere with the protection it provides. (The need 
also exists for State legislation to protect statistical-re- 
porting and research data that cannot be reached by Federal 
legislation.) 


e Either the data custodian or the individual about whom 
data are sought by legal process should be able to invoke the 
protection, but only the individual should be able to waive 
it. 


'° See Note 7, Chapter V, p. 85, 


*! This is a risk that arises when a population is so narrowly defined that tabulations 
are apt to produce cells small enough to permit the identification of individual data 
subjects, or when a person using a statistical file has access to information which, if added 
to data in the statistical file, makes it possible to identify individual data subjects. See I. P. 
Fellegi, “On the Question of Statistical Confidentiality,” Journal of the American Statisti- 
cal Association, 67:337 (March 1972), pp. 7-18. 
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These are essential conditions for protecting statistical-reporting 
and research data from compulsory disclosure in identifiable form. 
Legislation incorporating the features indicated would not prevent 
the disclosure of basic records from a statistical-reporting or re- 
search system so long as data in the records could not be traced to 
specific individuals. 

We offer no specific guidance on the form of the statutory pro- 
tection. However, existing Federal confidentiality statutes contain 
some relevant examples. These range from absolute prohibitions 
against disclosure to authority for an administrative official to make 
disclosure regulations. Among the specific methods are the 
following: 


Absolute Prohibition of Disclosure. Two existing statutes provide 
stringent protections for personal data held by Federal agencies. 


(a) Data collected by the Bureau of the Census may not be 
revealed to anyone outside of the Bureau in a form in which 
an individual respondent is identifiable. There is no discretion 
for any Bureau official with respect to disclosure. There are 
criminal penalties for disclosure. The prohibition against dis- 
closure serves to defeat legal process. If a respondent retains a 
copy of a report made to the Bureau, the copy, like the orig- 
inal, is immune from process. 13 U.S.C. 9,214. 


(b) Data collected under the National Health Survey may not 
be used “‘for any purpose other than the statistical purpose for 
which it was supplied except pursuant to regulations of the 
Secretary [of Health, Education, and Welfare]; nor may any 
such information be published if the particular establishment 
or person supplying it is identifiable except with the consent 
of such establishment or person.” Sec. 305(a) of the Public 
Health Service Act, 42 U.S.C. 242c. Here again, the holders of 
the records are given no discretion to reveal information or 
withhold it; only the establishment or the person who supplied 
the information has that discretion. Criminal penalties for dis- 
closure derive from a general statute on disclosure of confiden- 
tial information. 18 U.S.C. 1905. 


Absolute Protection Against Compulsory Disclosure. A second 
pattern of data protection is provided by statutes that authorize a 
Federal official to authorize others to protect the privacy of indi- 
viduals who are the subject of research by withholding from all 
persons not connected with the research the names and other iden- 
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tifying characteristics of such individuals. Such authority is vested 
in the Secretary of Health, Education, and Welfare by Section 
303(a) of the Public Health Service Act, 42 U.S.C. 242a, with re- 
spect to drug research, and also by Section 333 of the Comprehen- 
sive Alcohol Abuse and Alcoholism Prevention, Treatment, and Re- 
habilitation Act of 1970, 42 U.S.C. 4582, with respect to alcohol 
abuse and alcoholism research. Similar authority is given the At- 
torney General by Section 502(c) of the Comprehensive Drug 
Abuse Prevention and Control Act of 1970, 21 U.S.C. 872(c), with 
respect to “research.” The latter authority speaks only of “‘re- 
search,” but appears in a section of the statute dealing with research 
related to enforcement of laws concerning drugs. 

The authority in each of these instances is explicit as to im- 
munity from process. Those who obtain the authorization “may 
not be compelled in any Federal, State, or local civil, criminal, 
administrative, legislative, or other proceeding” to identify the sub- 
jects of research. These sections are of wide scope. The authoriza- 
tion may be given to anyone engaged in the specified type of re- 
search. Thus, the Secretary or Attorney General can extend it to 
Federal employees under his control Federal employees in other 
agencies, grantees, and even to resea chers who are not grantees. 
However, there is no absolute prohid tion on disclosure. The Secre- 
tary or Attorney General may grant or withhold the authorization. 
The researcher with the authorization “may not be compelled. . .to— 
identify such individuals,’ but may choose to identify them pur- 
suant to process or otherwise, subject to whatever other ethical or 
legal constraints exist. Thus, it is not strictly a privilege, like the 
lawyer-client privilege, in which the individual who has provided the 
information controls the action of the professional in responding to 
process. 


Discretion to Disclose Under Specified Conditions. The Drug 
Abuse Office and Treatment Act of 1972 (P.L. 92-255) provides a 
third model. Section 408 of that Act, 21 U.S.C. 1175, establishes as 
confidential, and forbids disclosure of, patient records ‘which are 
maintained in connection with the performance of any drug abuse 
prevention function authorized or assisted under any provision of 
this Act or any Act amended by this Act.” There is a criminal 
penalty for disclosure. If the patient gives written consent, the 
record may be disclosed for medical care purposes, or to govern- 
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mental personnel in order to obtain benefits for the patient. If the 
patient does not give consent, the record may be disclosed for 
emergency medical treatment; for research, audit, or evaluation pur- 
poses (as long as the patient’s identity is not further disclosed); or if 
authorized by a court order upon application showing good cause. 
Criminal charges may not be initiated or substantiated on the basis 
of patient records, and patients may not be investigated on the basis 
of patient records, except pursuant to disclosure under a court 
order. The section continues to apply to a patient’s records after he 
ceases to be a patient. 

This statute speaks of records “‘maintained in connection with 
any drug abuse prevention function,” and this seems to include 
records kept solely for research, but the term “patient” is used 
repeatedly. The Act’s legislative history shows that confidentiality 
was provided so that drug abusers would more readily seek treat- 
ment. [H. Rept. No. 92-920, 92nd Cong., 2d Sess., 33(1972)]. 
Implementing regulations issued by the Special Action Office for 
Drug Abuse Prevention, 21 C.F.R. Part 401, define “patient’’ as 
anyone who is or has been interviewed, examined, diagnosed, 
treated, or rehabilitated in connection with any drug abuse preven- 
tion function, and include “research” in the definition of the drug 
abuse prevention function. 

It should be noted that the function of the court order in this 
scheme is to authorize a disclosure which would otherwise be for- 
bidden, rather than to compel disclosure. The implementing regula- 
tions make it clear that the holder of the records may disclose the 
records if so authorized by a court order, but is not obliged to do 
sO. 


Discretion to Specify the Condtions for Disclosure. Another pat- 
tern of protection is found in Section 1106(a) of the Social Secu- 
rity Act, 42 U.S.C. 1306(a). The section does not deal explicitly 
with research, but covers any information received by the Depart- 
ment of Health, Education, and Welfare in the course of discharging 
duties under the Social Security Act. The section provides that no 
disclosure shall be made “except as the Secretary may by regula- 
tions prescribe.” Thus, an administrative official is authorized to 
designate classes of information that may be disclosed, and that 
may not be disclosed, and to determine when and to whom data 
may be disclosed. In effect, an administrative official has discretion 
(which must be exercised in advance in published regulations) to 
respond to legal process or not.. 


In all societies men... have lived in the interstices of 
their institutions. They have counted on the mercy of 
error, ignorance and forgetfulness in their dealings 
with their fellows and the state. They have often been 
wrong in so doing—morally and/or factually, But in a 
world of computers this mercy may not long exist. 
All our failings and achievements, our credit-worth 
and our petty delinquencies, our obedience and our 
defiance, can live in the constant present of the 
machine. 


Donald G. MacRae, “Introduction” 
to Spencer’s The Man Versus the State.* 


*(Baltimore: Penguin Books), 1969. 
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The Social Security Numberas 
a Standard Universal Identifier 


Our charter commissioned us to analyze policy and practice 
relative to the issuance and use of the Social Security number, 
including prohibitions, restrictions, conditions, or other qualifica- 
tions on the issuance and use of the number which now exist, or 
might be imposed to help implement whatever safeguards for 
automated personal data systems we might recommend. 

This particular aspect of our charge stems from growing public 
concern that the Social Security number will become a standard 
universal identifier used by all manner of organizations and data 
systems to establish the identity of individuals, to link records 
about them, and generally to keep track of them from cradle to 
grave. This concern also led to the establishment of the Social 
Security Number Task Force in February 1970, and was reflected 
in former HEW Secretary Elliot L. Richardson’s testimony, in 
March 1971, before the U.S. Senate Subcommittee on Constitu- 
tional Rights, chaired by Senator Sam J. Ervin, Jr.' 

Why do these concerns exist? Are they reasonable? What can be 
done about them? To answer these questions we must first 
understand something about identifiers in general and the nature 
and implications of a standard universal identifier in particular. 


' Federal Data Banks, Computers and the Bill of Rights, Hearings before the 
Subcommittee on Constitutional Rights of the Committee on the Judiciary, United States 
Senate, 92nd Congress, 1st Session, February and March 1971, Part I, pp. 775-881. 
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There are many kinds of personal identifiers. A person’s name is 
an identifier, the most ancient of all, but is not a reliable one, since 
often it is neither unique nor permanent. Even unusual names may 
be widely shared, and because of family patterns identical ones are 
often concentrated in particular localities. Some names change 
when people marry or divorce, and when children are adopted. 
Some people are known by different names in different social 
settings; e.g., itinerants, persons with aliases, and married women 
who use a maiden name professionally. 

To compensate for the unreliability of names as personal 
identifiers, additional schemes of identification have been devised. 
These commonly take the form of numeric or alpha-numeric labels 
that provide the uniqueness and permanence names customarily 
lack. The reliability thereby achieved is important to record-keeping 
systems in order to assure accuracy in merging and updating data to 
be stored about individuals. Usually such labels are established for a 
single system, but in some instances, a single one may be used in 
more than one system; for example, in all the record-keeping 
systems of an organization that maintains different sets of records 
on a given group of people. If one label is used by separate 
organizations, such as the Social Security number is for the 
taxpayer’s identification number, a driver’s license number, and a 
school student number, that label may be on its way to becoming a 
de facto universal identifier. 


Criteria for a Standard Universal Identifier 


A standard universal identifier (SUD is a systematically assigned 
label that, theoretically at least, distinguishes a person from all 
others. If the labels assigned by a universal identification scheme are 
to fulfill this function, each SUI must meet all the following 
criteria: 

UNIQUENESS. It must be unique for each person. No more 


than one person can be assigned the same SUI, and each person 
must have no more than one SUI. 


PERMANENCE. It must not change during the life of an 
individual and should not be re-used after his death until all records 
concerning him have been retired. 
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UBIQUITY. Labels must be issued to the entire population for 
which unique identification is required. 


AVAILABILITY. It must be readily obtainable or verifiable by 
anyone who needs it, and quickly and conveniently regainable in 
case it is lost or forgotten. 


INDISPENSABILITY. It must be supported by incentives or ~ 


penalties so that each person will remember his SUI and report it 
correctly ; otherwise systems will become clogged with errors. 


ARBITRARINESS. It must not contain any information. If it 
does, e.g., State of issuance, it will be longer than necessary, thus 
violating the “brevity” criterion (see below). It may also violate the 
“permanence” criterion if changeable items, such as name or 
address, are incorporated. Most important, if items of personal 
information are part of an SUI, they will be automatically 
disseminated whenever the SUI is used; in our view, this would be 
undesirable. 


BREVITY. It must be as short as possible for efficiency in 
recognition, retrieval, and processing by man or machine. 


RELIABILITY. It must be constructed with a feature that 
detects errors of transcription or communication.” If the communi- 
cation of SUIs were done entirely by machine, errors could be 
minimized through technology, but short of this, there must be 
protection against the risk of human error in writing or reciting an 
SUI. For the foreseeable future, the need will continue for people 
to fill out forms and to report information themselves. 


7A possible error-detecting feature is a number (called a check-digit) that can be 
derived in some way from the identification number and appended to it. For example, a 
check-digit may be derived by multiplying the first digit of the identification number by 1, 
the second by 2, the third by 3 (and so on), summing the products of the multiplications, 
and extracting the digital root of their sum. The identification number 1463, handled this 
way, produces a check-digit of 3 (1X1=1, 2x4=8, 3X 6=18, 4x 3=12; 
1+8+18+12=39;3+9=12; 1 + 2 = 3) which is written at the end of the number to 
produce 14633. A computer and a human being can each readily verify the accuracy of 
the number. Transpositions are detectable. “14363,” for instance, would be caught as 
illegitimate, because the correct check-digit for the number 1436 is not 3, but 6 
(x1=1,2X4=8, 3X 3=9,4x 6= 24; 1+8+9+24=42;4+2= 6). Most single- 
digit errors are also detectable, though errors of more than one digit may coincidentally 
generate valid check-digits and hence not be detectable. 
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Implications of a Standard Universal Identifier 


The advantages of a standard universal identifier, as seen by its 
proponents, are easier and more accurate updating, merging, and 
linking of records about individuals for administrative, statistical, 
and research purposes. According to them, duplication and error in 
record keeping would be reduced. Individuals, moreover, would be 
relieved of the need to use many different identifying numbers; an 
SUI might supplant credit card numbers, personal checking account 
numbers, driver license numbers, and many other identifiers. 

In spite of these practical advantages, the idea of an SUI is 


objectionable to many Americans. Even in some European coun-™: 


tries where SUIs were introduced without opposition a generation 
or more ago, their use has recently raised fears and anxieties in the 
population. Many people both feel a sense of alienation from their 
social institutions and resent the dehumanizing effects of a highly 
mechanized civilization. Every characteristic of an SUI heightens 
such emotions. 


e The bureaucratic apparatus needed to assign and adminis- 
ter an SUI would represent another imposition of govern- 
ment control on an already heavily burdened citizenry. 


e To realize all the supposed benefits of an SUI, mandatory 
personal identity cards would have to be presented when- 
ever called for. Loss or theft of an SUI card would cause 
serious inconvenience, and the mere threat of official 
confiscation would be a powerful weapon of intimidation. 


e The national population register that an SUI implies 
could serve as the skeleton for a national dossier system to 
maintain information on every citizen from cradle to grave. 


e An unchangeable SUI used everywhere would make it 
much easier for an individual to be traced, and his behavior 
monitored and controlled, through the records maintained 
about him by a wide range of different institutions. 


e A permanent SUI issued at birth could create an incentive 
for institutions to pool or link their records,thereby making _, 
it possible to bring a lifetime of information to bear on any 
decision about a given individual. American culture is rich in 
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the belief that an individual can pull up stakes and make a 
fresh start, but a universally identified man might become a 
prisoner of his recorded past. 


This Committee believes that fear of a standard universal 
identifier is justified. Although we are not opposed to the concept 
of an SUI in the abstract, we believe that, in practice, the dangers 
inherent in establishing an SUI—without Jegal and social safeguards 
against the abuse of automated personal data systems—far out- 
weigh any of its practical benefits. Therefore, we take the position 
that a standard universal identifier should not be established in the 
United States now or in the foreseeable future.? The question can 
surely be re-examined after there has been sufficient experience 
with the safeguards proposed in this report to evaluate their 
effectiveness. 


The Social Security Number (SSN) as an SUI 


But is it not too late to oppose a standard universal identifier? Is 
not the SSN already a de facto SUI? To answer these questions, we 
must first measure the SSN against the criteria for an SUI given 
above. 


UNIQUENESS. {The SSN is not a unique label. More than 4.2 
million people, by the Social Security Administration’s own 
estimates, have two or more SSNs. More serious, although much less 
prevalent, are the instances in which more than one person has been 
issued or uses the same SSN.* \ 


>The National Academy of Sciences Computer Databanks Project reached a similar 
conclusion on the basis of its independent, empirical assessment of the issues involved. See 
Alan F, Westin and Michael A. Baker, Databanks in a Free Society (New York: Quadrangle 
Books), 1972. pp. 396-400. 

4“Account number 078-05-1120 was the first of many numbers now referred to as 
‘pocketbook’ numbers, It first appeared on a sample account number card contained in 
wallets sold ... nationwide in 1938. Many people who purchased the wallets assumed the 


-number to be their own personal account number, It was reported thousands of times on 


employers’ quarterly reports; 1943 was the high year, with 5,755 wage earners listed as 
owning the famous number. More recently, the IRS requirement that the Social Security 
AN [Account Number] be shown on all tax returns resulted in 39 taxpayers showing 
078-05-1120 as their number. The number continues to be reported at least 10 times each 
quarter. There are now over 20 different ‘pocketbook’ numbers... .”’ Account Number 
and Employer Contact Manual (Baltimore, Md.: Social Security Administration), Sec. 121. 
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PERMANENCE. The SSN is, in almost all cases, permanent for 
an individual throughout his life. 


UBIQUITY. The SSN is nearly universal for adult Americans, 
much less so for those of high-school age and below. 


AVAILABILITY. The SSN of an individual is readily verifiable 
by the Social Security Administration for some users, and not at all 
for others. It is regainable from the Social Security Administration 
by persons who have lost their cards and forgotten their numbers, 
but not immediately. An individual’s SSN, however, is increasingly 
ascertainable from many sources other than the Social Security 
Administration. 


INDISPENSABILITY. The incentives and requirements to re- 
port one’s SSN correctly are growing, though in some contexts 
there are incentives to omit or falsify the number. 


ARBITRARINESS. The SSN is not entirely arbitrary; the State 
of issuance is coded into the number. 


BREVITY. The SSN With its nine digits is three places longer 
than an alpha-numeric label capable of numbering 500 million 
people without duplication, and two places longer than one that 
can accommodate 17 billion people. The SSN could therefore be 
shorter if it were alpha-numeric. 


RELIABILITY. The SSN has no check-feature, and most 
randomly chosen nine-digit numbers cannot be distinguished from 
valid SSNs. It is thus particularly prone to undetectable errors of 
transcription and oral reporting. 


By our definition, the SSN cannot fully qualify as an SUI, it only 
approximates one: } 


The SSN had its genesis.in accounting practice and was first 
known as the Social Security Account Number (SSAN). It was 
established to number accounts for the 26 million people with 
earnings from jobs covered by the Social Security Act of 1935. 
Income-maintenance benefits under the Act, though not payable 
until the retirement or death of a worker, were to be determined on 
the basis of his record of earnings. Each worker needed a uniquely 
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Such taxes shall be collected and paid in such manner... 
(either by making and filing returns, or by stamps, coupons, 
tickets, books, or other reasonable devices or methods 
necessary or helpful in securing a complete and proper 
collection and payment of the tax or in securing proper 
identification of the taxpayer), as may be prescribed by the 
Commissioner of Internal Revenue. . .. 


identifiable account to which records of his earnings would be ~ 
posted periodically. Since obviously many would have the same or ; 
similar names, it was decided to assign each a unique number to 
identify his account and assure an accurate record of earnings, 
which his employer would report both by name and account $ 


number. 
Name and number were used because standard accounting 4 


practice had accustomed people to numbered accounts, and because 
the technology of the day, notably the punched card machine with | 
its 80-column card, required a short numeric identifier for 3 
efficiently adding the records of new transactions to existing 4 
master-file records. “y 

Nine digits were chosen to provide for future expansion. A 
check-feature was not provided because the technology of the day . 
could not cope with it, and manual checking, though possible, was , 
judged too time-consuming to be feasible. The Social Security 2 
Administration has developed ingenious error-detection methods, 4 
and has improved them over the years to the point where it now 3 
neither needs nor desires a check- feature,$ 4 

Despite the deficiencies of the SSN for purposes other than those 4 
for which it was designed, its use is widespread and growing, even 4 
where its limitations are recognized. How did this come about? Why ; 
is the SSN now so widely used for purposes and in areas unrelated 3 
to the Social Security program? 


Ff The first mention of the SSN in a law or regulation is in a Bureau 
F of Internal Revenue regulation of November 5, 1936 under which 
Fan identifying number, called an “account number,” was to be 
kapplied for by each employee, and assigned by the Postmaster 
f General or the Social Security Board. Each employee was directed 
FP to report his number to his employer. Employers were directed to 
P keep records showing the name and number of each employee and 
F to enter employee account numbers on all required tax returns. The 
Fregulation provided that “Any employee may have his account 
Fnumber changed at any time by applying to the Social Security 
= Board and showing good reasons for a change. With that exception, 
F only one account number will be assigned to an employee.’”® 

fF It is ironic to discover—though logical and understandable in 
d retrospect—that the first step in the process of extending the use of 
@ the Social Security number beyond the purposes of the Social 
= Security program was taken by the Social Security Board itself on 
Planuary 15, 1937. After the Social Security Act was passed, a 
E question arose about an account numbering system to be used by 
State agencies established to administer the State unemployment 
insurance programs. The Board decided that the Social Security 
‘number should be used for all workers insured under these 
E programs, rather than have each State agency develop its own 
identification system. As a result of this decision, many workers not 
;covered by the Social Security program received SSNs for use in 
State unemployment insurance programs. 

4 For some years after its inception in 1936, there was no ~ 
Fsubstantial use of the SSN other than that required for the Social 
. Security and unemployment compensation programs. Most Ameri- 
scans had not been issued a number, and few organizations felt the 
peed of a numeric identifier for purposes of data processing. 


History of the Social Security Number and Its Uses 


The original Social Security Act (P.L. 74-271, August 14, 1935) § 
imposed two taxes to finance the program of retirement and 4 
survivor benefits to be administered by the Social Security Board. 4 
One was a tax as a percentage of wages imposed on employees; the 4 
second was a matching tax on employers. To finance the Federal 
contribution to State programs of unemployment compensation 4 
required by the same Act, a tax as a percentage of wages was 4 
imposed on employers. 4 

Section 807 of that Act charged the Bureau of Internal Revenue 4 
in the Treasury Department with collecting all three taxes. Section 3 
807(b) provided 


5 Ibid., Sec. 554 ff. T.D. 4704, 1 Fed. Reg. 1741 (Nov. 7, 1936); 26 C.F.R. Part 401 (1st ed., 1939). 
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identification system of accounts under the order. The order also 
directs that 


The Social Security Board and each Federal agency shall* 
maintain the confidential character of information relating to 
individuals obtained pursuant to the provisions of this Order. 


Although many people are under the impression that use of the ? 
SSN for other than Social Security program purposes is forbidden 4 
by law, this is not the case and never has been. The impression may * 
in part have arisen from the fact that, for many years, the card 4 
bearing one’s Social Security Account Number has carried the 4 
legend, “NOT FOR IDENTIFICATION.” The purpose of this ‘ 
legend is to notify anyone to whom a card might be presented that ° 
it cannot be relied upon, by itself, as evidence of the identity of the 3 
person presenting it. 3 

In 1943, the Civil Service Commission decided that there should ° 
be a numerical identification system for all Federal employees and 4 
proposed to the Bureau of the Budget that use of the SSN be 4 
authorized for this purpose. This led to the issuance of Executive 2 
Order 9397. That order, which is still in effect, provides in part as _ 
follows: . 


’ Finally, the order provides for the costs of services rendered 
thereunder by the Social Security Board to be reimbursed by the 
f agency receiving such services. 

‘ Most civil servants had never applied for SSNs because their 
employment was not covered by the Social Security Act. Since they 
were not being assigned numbers for Social Security program 
purposes, the costs had to be paid from funds appropriated for the 
F Civil Service Commission. The Commission, however, was unable to 
, obtain the necessary funds, and so it was not until November, 1961 
. that the assignment of numbers to Civil Service employees was 
; initiated as an adjunct of the Internal Revenue Service’s taxpayer 
«identification program (see below). 

». The issuance of Executive Order 9397 in 1943 theoretically may 
t have provided the basis for a change in conception of the role of the 
F SSN. However, there is no evidence that it had any practical 
significance until after the 1961 decision to use the SSN as an 


WHEREAS certain Federal agencies from time to time 
require in the administration of their activities a system of 
numerical identification of accounts of individual persons; 
and... 


WHEREAS it is desirable in the interest of economy and 
orderly administration that the Federal Government move 


towards the use of a single, unduplicated numerical identifica- 
tion system of accounts and avoid the unnecessary establish- 
ment of additional systems; 


NOW, THEREFORE, . . . it is hereby ordered as follows: 


1. Hereafter any Federal department, establishment, or 
agency shall, whenever the head thereof finds it advisable to 
establish a new system of permanent account numbers 
pertaining to individual persons, utilize exclusively the Social 
Security account numbers.... 


The order directs the Social Security Board, the predecessor agency ; 


_ individual identifier for Federal tax purposes. It has been suggested 
F that Executive Order 9397 was intended to apply only to instances 
« when Federal agencies seek to number records of financial 
- transactions, and not to numbering other kinds of records, such as 
&- employment, attendance, performance, or medical records. The 
fiscal interpretation follows from the wording of the order which 
,. Speaks of the efficiency to be gained from “a single... system of 
F accounts....’” To interpret the order as applying to all kinds of 
. Federal agency record systems is arguably beyond the meaning of 
f its language. In any case, it appears that Federal agencies are free to 
yp use the SSN in any way they wish, and no instance has come to our 
attention in which the order has been invoked to compel or limit an 


of the Social Security Administration, to provide for the assignment.3 
of an account number to any person required by any Federal j 
agency to have one, and to furnish the number, or the name and 4 
identifying data, pertaining to any person or account number upon 4 
request of any Federal agency using the SSAN for a numerical } 


E agency’s use of the SSN. 


What many regard as the single most substantial impetus to use 
Pthe SSN for purposes other than the Social Security program 
F occurred in 1961, when the Internal Revenue Service, after 
F discussions with the Social Security Administration, decided to use 
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the SSN for taxpayer identification. This decision was implemented 
by an amendment to the Internal Revenue Code that authorized the 
Secretary of the Treasury to require each person making “a return, 
statement, or other document” under the Internal Revenue Code to 
“include such identifying number as may be prescribed for securing 
proper identification of such person.” The Secretary was also 
authorized ‘‘to require such information as may be necessary to 
assign an identifying number to any person.’”’ The Secretary 
delegated his authority to the Commissioner of Internal Revenue, 
who has issued a number of regulations, the combined effect of 
which may be summarized as follows. 


e The taxpayer’s identification number for use by individuals (except 
as employers in a trade or business) is the SSN. 


e The SSN for each individual taxpayer and each beneficiary of an 
estate or trust must be furnished on all tax returns and related 
statements and documents filed in connection with every tax imposed 
by the Internal Revenue Code. (A failure to include the number as 
required on a return gives rise to a civil penalty of $5, unless the 
failure to provide the number is due to “reasonable cause.” Int. Rev. 
Code of 1954, Sec. 6676.) 


e An individual is obliged to obtain an SSN from the Social Security 
Administration and furnish it when requested, for purposes of 
complying with Internal Revenue Service regulations, by any of the 
following: employers; estates and trusts; corporations and other 
entities paying dividends; banks, mutual savings and savings and loan 
institutions; insurance companies; stockbrokers and securities dealers; 
other entities paying interest; and nominees receiving dividends or 
interest. 


Many other actions of the Federal government have expanded 
the areas of use of the SSN beyond its original purposes. 


© The Treasury Department further expanded use of the SSN in 1963 
by requiring its use in registration of all United States transferable and 
non-transferable securities other than U.S. savings bonds. The follow- 
ing year the requirement for such use of the SSN was applied to 
Series H savings bonds. The Treasury Department has announced that 
as of October 1, 1973, the inscriptions on Series E bonds must also 
include the SSN. (Meanwhile the Treasury has modified its earlier 


™P.L. 87-397 (Oct. 5, 1961); Internal Revenue Code of 1954, Sec. 6109. 
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rule that the names of women on savings bond inscriptions be 
preceded by “Miss,” “Mrs.,” or other title, by permitting omission of 
the title if the woman’s SSN is included.) 


e In a decision dated April 16, 1964, the Commissioner of Social 
Security approved the issuance of SSNs to pupils in the ninth grade 
and above, if a school requests such issuance and indicates willingness 
to cooperate in the effort. The Social Security Administration Claims 
Manual explains that this decision was made (1) to accommodate 
requests from school systems “desiring to use the SSN for both 
automatic data processing and control purposes, so that the progress 
of pupils could be traced throughout their school lives across district, 
county, and State lines”, and (2) because issuance of SSNs to school 
children in groups is more orderly, efficient, less costly to the Social 
Security Administration, and gives better assurance of identification 
of the children than if students eventually apply for numbers one at a 
time. 


e In June 1965 the Commissioner of Social Security authorized the 
issuance of an SSN to every recipient of State old-age assistance 
benefits who did not already have one, in order to establish a more 
efficient process for exchange of information between these agencies 
and the Social Security Administration. When the Social Security Act 
was amended in 1965, to provide hospital and medical insurance 
(Medicare) administered by the Social Security Administration, it 
became necessary for most individuals aged 65 and over who did not 
already have an SSN to obtain one. 


e In June 1965 the Civil Service Commission began to add SSNs to 
the retirement records of their annuitants. This represented an 
extension of the SSN issuance system started in 1961 for civil service 


employees. 


e Effective January 1, 1966, after consultation with the Social 
Security Administration, the Veterans Administration began using the 
SSN as a hospital admission number, and for other record-keeping 


purposes. 
e On April 7, 1966, the Commissioner of Social Security approved 
the test usage of the SSN by the Division of Indian Health of the 


Public Health Service to facilitate development and maintenance of 
comprehensive health histories of Indians from.birth to death. 
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e By memorandum dated January 30, 1967, the Secretary of Defense 
advised the Social Security Administration of his decision to use the 
SSN as the service number of all military personnel. 


e Pursuant to the Currency and Foreign Transactions Reporting Act 
(the so-called Bank Secrecy Act), P.L. 91-508, October 26, 1970; 31 
U.S.C. 1051-1122, the Treasury Department issued regulations in 
1972 requiring banks, savings and loan associations, credit unions, and 
brokers and dealers in securities to obtain the SSNs of all their 
customers. The Act requires these financial organizations to maintain 
records of certain large transactions to facilitate criminal, tax, and 
regulatory investigations with respect to currency and foreign transac- 
tions. The SSNs of individuals required for account records under the 
regulations will already have been obtained in almost all cases by these 
financial organizations under regulations of the Internal Revenue 
Service governing tax reporting. A notable impact has been the 
requirement to furnish one’s SSN to open a checking account. 


e Use of the SSN is being promoted by the National Driver Register 
of the U.S. Department of Transportation. Although the Department 
of Transportation lacks authority to require it, use of the SSN is 


encouraged by the Register to facilitate matching the records of- 


reports and inquiries it receives. This has led most State motor vehicle 
departments to collect SSNs from all drivers, and some to shift to the 
SSN for their driver license identification number, 


e The Social and Rehabilitation Service of the Department of Health, 
Education, and Welfare has for some time been promoting the use of 
the SSN by States for the identification of individual applicants and 
beneficiaries under all welfare and social services programs. 


e The Congress, in Section 137 of the Social Security Amendments 
of 1972,° has required the Secretary of HEW to take affirmative 
measures to issue SSNs to the maximum extent practicable to aliens 
entitled to work in the United States and “to any individual who is an 
applicant for or recipient of benefits under any program financed in 
whole or in part from Federal funds including any child on whose 
behalf such benefits are claimed by another person.” The quoted 
language of this requirement appears to call for the issuance of an SSN 
to virtually everyone in America who does not already have one, but 
the legislative history clearly indicates that such universal enumeration 
was not intended. The Senate Finance Committee had proposed a 


> P.L. 92-603, October 30, 1972; 42 U.S.C. 405. 
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requirement of affirmative measures for the assignment of SSNs to all 
children at the time they first enter school, as well as to aliens and all 
applicants for and recipients of benefits under Federally supported 
programs. However, the bill was amended in conference. Instead of 
requiring the Secretary to take affirmative measures to enumerate 
children at their entrance into school, the Act makes such measures 
optional, but the Act retains the requirement that numbers be 
assigned to aliens, and to applicants and recipients of benefits. 
Although the legislation does not specify any uses to be made of SSNs 
issued pursuant to its mandate, the legislative history indicates that 
Congress intended them to be available for use in preventing aliens 
from working illegally and public assistance beneficiaries from 
receiving duplicate or excessive payments. 

Review of the Federal actions described above (which do not by 
any means constitute an exhaustive list makes it clear that the 
Federal government itself has been in the forefront of expanding 
the use of the SSN. All these actions have actively promoted the 
tendency to depend more and more on the SSN as an identifier—of 
workers, taxpayers, automobile drivers, students, welfare benefi- 
ciaries, civil servants, servicemen, veterans, pensioners, and so on. 

(Tf use of the SSN as an identifier continues to expand, the 
incentives to link records and to broaden access to them are likely 
to increase. {Until safeguards such as we have recommended in 
Chapters IV, V and VI have been implemented, and demonstrated 


to be effective, there can be no assurance that the consequences for 


individuals of such linking and accessibility will be benign. At best, 
individuals may be frustrated and annoyed by unwarranted ex- 
changes of information about them. At worst, they may be threat- 
ened with denial of status and benefits without due process, since at 
the present time record linking and access are, in the main, 
accomplished without any provision for the data subject to protest, 
interfere, correct, comment, and, in most instances, even to know 
what linking of which records is taking place for what purposes. 
Although few people have flatly proposed that an SUI be 
mandated for all Americans, there is a strong tendency for 
authorities in government and industry to make decisions that, 
taken collectively, are likely to lead to the establishment of an SUI. 
There is an increasing tendency for the Social Security number to 
be used as if it were an SUI. Even organizations selecting a 
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single-system personal identifier are likely to choose the SSN 
“because it is available,” or for efficiency and convenience. There 
are pressures on the Social Security Administration to do things 
that make the SSN more nearly an SUI, such as issue more SSNs 
than the Social Security program requires, for purposes wholly 
unrelated. 

We believe that any action that would tend to make the SSN 
more nearly an SUI should be taken only if, after careful 
deliberation, it appears justifiable and any attendant risks can be 
avoided. (We recommend against the adoption of any nationwide, 
standard, personal identification format, with or without the SSN, 
that would enhance the likelihood of arbitrary or uncontrolled 
linkage of records about people, particularly between government 
or government-supported automated personal data systems.? What 
is needed is a halt to the drift toward an SUI and prompt action to 
establish safeguards providing legal sanctions against abuses of 
automated personal data systems. | The recommendations in the 
following chapter are directed toward that end. 


One notable attempt to establish a standard for the identification of individual 
Americans for purposes of information exchange was that offered by a committee of the 
American National Standards Institute (ANSI) in 1969. The standard, as proposed, 
consisted in part of an individual’s SSN; opposition to that feature in particular led in 
1972 to official withdrawal of the standard from further consideration pending resolution 
of the issues that are covered by this report. 


The Unknown Citizen 
(To JS/07/M/378 
This Marble Monument 
Is Erected by the State) 


He was found by the Bureau of Statistics to be 

One against whom there was no official complaint, 

And all the reports on his conduct agree 

That, in the modern sense of an old-fashioned word, he 
was @ saint, 

For in everything he did he served the Greater Community. 

Except for the War until the day he retired 

He worked in a factory and never got fired, 

But satisfied his employers, Fudge Motors, Inc. 

Yet he wasn't a scab or odd in his views, 

For his Union reports that he paid his dues, 

(Our report on his Union shows it was sound) 

And our Social Psychology workers found 

That he was popular with his mates and liked a drink. 

The Press are convinced that he bought a paper every day 

And that his reactions to advertisements were normal in 
every way. 

Policies taken out in his name prove that he was fully insured, 

And his Health-card shows he was once in hospital but left 
it cured. 

Both Producers Research and High-Grade Living declare 

He was fully sensible to the advantages of the Instalment Plan 

And had everything necessary to the Modern Man, 

A phonograph, a radio, a car and a frigidaire. 

Our researchers into Public Opinion are content 

That he held the proper opinions for the time of year; 

When there was peace, he was for peace; when there was war, 
he went. 

He was married and added five children to the population, 

Which our Eugenicist says was the right number for a parent of 
his generation, 

And our teachers report that he never interfered with 
their.education, 

Was he free? Was he happy? The question is absurd: 

Had anything been wrong, we should certainly have heard. 


W. H. Auden 


Copyright © 1940 and renewed 1968 by W. H. Auden. From Collected Shorter Poems, 
1927-1957, Reprinted by permission of Random House, Inc. 
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VII 


Recommendations Regarding 


Use of the Social § i 
Number crs a 


Until safeguards against abuse of automated personal data sys- 
tems sp peta effective, constraints should be imposed on the 
use oO € SSN. After that, the question of SSN i 
ee use might properly 


We recommend that Federal poli i 
policy with respect to use of th 
SSN be governed by the following general principles, ° 


First, uses of the SSN should be limited to those necessary for 


carrying out requirements imposed b the 
pai p y Federal govern- 


Second, Federal agencies and departments should not require 
or promote use of the SSN except to the ex.ent that they have 
a specific legislative mandate from the Congress to do so. 


Third, the Congress should be sparing in mandating use of the 
SSN, and should do so only after full and careful consideration 
preceded by well advertised hearings that elicit substantial 
public participation. Such consideration should weigh care- 
fully the pros and cons of any proposed use, and should pay 
particular attention to whether effective safeguards have been 
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applied to the automated personal data systems that would be 
affected by the proposed use of the SSN. 


Fourth, when the SSN is used in instances that do not con- 
form to the three foregoing principles, no individual should be 
coerced into providing his SSN, nor should his SSN be used 
without his consent. 


Fifth, an individual should be fully and fairly informed of his 
rights and responsibilities relative to uses of the SSN, including 
the right to disclose his SSN whenever he deems it in his 
interest to do so. 


In light of these principles, we make specific recommendations - 
with respect to the individual’s right to refuse to disclose his SSN, 
issuance of SSNs, constraints on use or dissemination of SSNs, and 
prohibition of non-data-processing uses of the SSN. Ideally, 
Congress should review all present Federal requirements for use of 
the SSN to determine whether the existing requirements should be 
continued, repealed, or modified} In this chapter, we recommend 
several modifications that would apply to all SSN requirements now . 
in force. ; 


a Sie a f : 
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Specific Recommendations on the Social Security Number 


RIGHT OF AN INDIVIDUAL TO REFUSE TO 
DISCLOSE THE SOCIAL SECURITY NUMBER 


As indicated in Chapter VII, increasing demands are being placed 
on individuals to furnish an SSN in circumstances when use of the 
SSN is not required by the Federal government for Federal program 
purposes. For example, the SSN is demanded of individuals by 
State motor vehicle departments, by public utility companies, 
landlords, credit grantors, schools, colleges, and innumerable other 
organizations. 

Existing Federal law and Social Security regulations are silent on 
such uses of the SSN. They provide no clear basis for keeping State 
and local government agencies and private organizations from 
demanding and using the number. As a practical matter, disclosure 
of one’s SSN has been made a condition for obtaining many 
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benefits and services, and legal challenges to this condition under 
State law have been almost uniformly unsuccessful. 

If the SSN is to be stopped from becoming a de facto SUI, the 
individual must have the option not to disclose his number unless 
required to do so by the Federal government for legitimate Federal 
program purposes, and there must be legal authority for his refusal. 
Since existing law offers no such clear authority, we recommend 
specific, preemptive, Federal legislation providing: 


(1) That an individual has the right to refuse to disclose his 
SSN to any person or organization that does not have specific 
authority provided by Federal statute to request it; 


(2) That an individual has the right to redress if his lawful 
refusal to disclose his SSN results in the denial of a benefit, or 
the threat of denial of a benefit; and that, should an individual 
under threat of loss of benefits supply his SSN under protest 
to an unauthorized requestor, he shall not be considered to 
have forfeited his right to redress. 


(3) That any oral or written request made to an individual for 
his SSN must be accompanied by a clear statement indicating 
whether or not compliance with the request is required by 
Federal statute, and, if so, citing the specific legal requirement. 


ISSUANCE OF SOCIAL SECURITY NUMBERS. 


The report of the Social Security Number Task Force’ identified 
the need to improve the integrity of the SSN for some uses now 
required by Federal law. Steps have been initiated during the last 
two years to decrease the likelihood that any individual will be 
assigned more» than one SSN without the knowledge of the Social 
Sécurity Administration. They include: improved procedures for 
verifying the identity of each applicant for an SSN; issuance of 
SSNs only from the central office of the Social Security Adminis- 
tration rather than from its 1,000 field offices; implementation of a 
process. that will provide comprehensive, automated screening of 
applications for SSNs; and the establishment by Section 208 of the 
Social Security Act? of a penalty for fraudulently furnishing false 


' Social Security Number Task force: Report to the Commissioner (Baltimore, Md.: 
U.S. Social Security Administration), 1971. 

2 As provided by Section 130 of the Social Security Amendments of 1972, P.L. 
92-603, October 30, 1972; 42 U.S.C. 408. 
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information regarding one’s identity in order to obtain an SSN. 
There is good reason to expect that the combined effect of all these 
actions will be to improve significantly the integrity of the SSN. 


Enumeration of School Children. The Social Security Number 
Task Force recommended that the Social Security Administration 
“should embark on a positive program of enumerating [issuing 
SSNs to] school children at the ninth-grade level, with concurrent 
establishment of proof of age and identity.” We have given long and 


careful thought to this recommendation. Our first inclination was 


flatly to oppose it as an action that would promote the use of the 
SSN as a de facto SUI. After further deliberation, and exploration 
of relevant issues with the Commissioner of Social Security, we 
decided to endorse the Task Force recommendation with two im- 
portant qualifications. Specifically, we recommend 


(4) That the Social Security Administration undertake a posi- 
tive program of issuing SSNs to ninth-grade students in 
schools, provided (a) that no school system be induced to 
cooperate in such a program contrary to its preference; and (b) 
that any person shall have the right to refuse to be issued an 
SSN in connection with such a program, and such right of 
refusal shall be available both to the student and to his parents 
or guardians. 


Children in the ninth grade have reached the age when they are 
likely to seek part-time or summer employment and need an SSN 
for Social Security program and Federal income tax purposes. In- 
deed, many young people obtain SSNs for such purposes before 
they reach ninth grade. Under Section 137 of the Social Security 
Amendments of 1972, many children who receive certain Federal 
cash benefits will also be assigned SSNs before they reach ninth 
grade. Since a program of ninth-grade enumeration is likely to be 
consistent with the needs and convenience of most young people, it 
is not likely to seem coercive. Moreover, our recommendation is 
designed to prevent any coercion. 

Both the Task Force Report and the Commissioner of Social 
Security have indicated that a program of ninth-grade enumeration 
would offer the Social Security Administration an opportunity to 
inform students about the Social Security program and their rights 


120 KECOKDS, COMPUTERS, AND THE RIGHTS OF CITIZENS 


and responsibilities in relation to it. We urge that any such student 
briefings include information about their rights and responsibilities 
with respect to uses of the SSN. We also note the observations made 
in the Task Force Report, and reiterated by the Commissioner of 
Social Security, that ninth-grade enumeration is advantageous to 
the Social Security Administration on a cost-benefit basis. 

Finally, our inquiries and discussions with Social Security Ad- 
ministration representatives convinced us that a positive program of 
ninth-grade enumeration would contribute significantly to en- 
hancing the integrity of the SSN. The contribution to this end 
might appear somewhat greater if the program enumerated children 
at the time of their first enrollment in school, as authorized by the 
Congress in Section 137 of the Social Security Amendments of 
1972. However, we strongly recommend 


(5) That there be no positive program of issuing SSNs to chil- 
dren below the ninth-grade level, either at the initiative of the 
Social Security Administration or in response to requests from 
schools or other institutions. 


A positive program of issuing SSNs to all children at school entry 
has little to recommend it. It would almost surely seem coercive, 
since the proportion of children in kindergarten or first grade who 
need an SSN is small. These children are too young for a significant 
educational contact with the Social Security program. Most impor- 
- tant, such a mass enumeration program would be a very significant 
. further step toward making the SSN a de facto standard universal 
identifier—a step there are no compelling reasons to take. 


Enumeration of Beneficiaries of Federally Funded Programs. As 
we noted in Chapter VII (pp. 120-121), Section 137 of the Social 
Security Amendments of 1972 requires the Secretary of HEW to 
take affirmative measures to issue the SSN as widely as practicable. 


to any individual who is an applicant for or recipient of bene- 
fits under any program financed in whole or in part from 
Federal funds including any child on whose behalf such bene- 
fits are claimed by another person. 


This provision, read literally, could well provide the authority for 
establishing a standard universal identifier. Yet as we understand it, 


law 


Recommendations Regarding Use of the S5IN 


this provision was included in the legislation in the narrow context 
of improving the administration of public assistance programs. It is 
a technical provision in a large and complicated piece of legislation 
(the printed Public Law runs to 165 pages) in which other very 
controversial issues occupied the attention of the Congress and the 
public. This particular provision was not the subject of public hear- 
The conditions under which Section 137 became law did not 
allow for adequate consideration of an action that has the potential 
of driving America toward an SUI. We therefore believe that the 
Secretary has an obligation to use the authority granted in Section 
137 only in the most limited way consistent with the mandate—as a 
tool for improving the administration of public assistance programs. 
The potential consequences are too dangerous to allow an SUI to be 
established without wide and careful public consideration and full 
assessment of the potential consequences. 
Specifically, we recommend 
(6) That the Secretary limit affirmative measures taken to is- 
sue SSNs pursuant to Section 205 (c)(2) (BMD of the Social 
Security Act, as amended by Section 137 of Public Law 
92-603, to applicants for or recipients of public assistance 
benefits supported from Federal funds under the Social Secur- 
ity Act. 


We further recommend 
(7) That the Secretary do his utmost to assure that any future 


legislation dealing with the SSN be preceded by full and care- 
ful consideration and well advertised hearings that elicit sub- 
stantial public participation. ; 
[We would stress once again that the SSN in its present form is 
not a satisfactory standard universal identifier,’ Even with the steps 
that have been taken to improve the integrity of the SSN, the SSN 
cannot provide a guarantee of identity unless it ts coupled with 
some stable feature of physical identification, such as fingerprints. 
In its present form, therefore, adoption of the SSN as an sul would 
not lead to all the advantages of improved program administration 
that proponents of its widened use anticipate, e.g., to identify 


welfare beneficiaries. 
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If the Committee had to choose today between a true SUI, com- 
plete with fingerprinted identification cards on the one hand, and 
something less than ultimate efficiency in the administration of 
public assistance programs on the other, we would rather risk the 
latter; we think the American public would too. The steps being 
taken to strengthen the integrity of the SSN can lead to significant 
improvement in the administration of public assistance, while our 
recommendations will check the drift of the SSN toward becoming 
a de facto SUI. Until effective safeguards against the abuse of 
computer-based personal data systems have been established, and 
until there has been full public debate of the desirability of an SUI, 
this is the point at which the situation must be held in check. 


CONSTRAINTS ON USE AND DISSEMINATION 
OF SOCIAL SECURITY NUMBERS 


Recommendations (8}-(10) below are designed to limit uses of 
the SSN to those necessary to carry out Federal government pur- 
poses for which there is a legal requirement that the SSN be ob- 
tained and recorded, and to discourage all practices that substan- 
tially increase the circulation of individual SSNs together with the 
names of their holders. 

Recommendation (8) is intended to constrain the behavior of 
organizations and persons that are legally required to obtain and 
record the SSN for Federal purposes, but which use the SSN in 
other ways that constitute virtual public dissemination of SSNs 
along with names of the individuals to whom they belong. Among 
the many uses of the SSN that this recommendation is designed to 
abate are its use as an employee identification number, a patient 
identification number, a student identification number, a customer 
identification number, a driver identification number, and as the 
primary organizing element in the record-keeping system of any 
non-Federal organization. Although such uses may be convenient, 
they are not necessary. Under present circumstances, moreover, 
they increase the circulation of SSNs, thereby inviting uncon- 
strained linking of record-keeping systems. Accordingly, we recom- 
mend 


(8) That any organization or person required by Federal law 
to obtain or record the SSN of any individual be prohibited 
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from making any use or disclosure of the SSN without the 
informed consent of the individual, except as may be neces 
sary to the Federal government purposes for which it was 
required to be obtained and recorded. This prohibition should 
be established by a specific and preemptive act of Congress. 


This recommendation stems in part from observing that 
the Social Security Administration treats the SSN with the 


‘ same confidentiality as the data in its records of Social Security 
~ accounts. Access to Social Security data is governed by Section 


1106 of the Social Security Act and Regulation No. 1 of the Social 
Security Administration. The result is that the Social Security Ad- 
ministration will disclose an individual’s SSN only to those third 
persons and organizations permitted by law to obtain SSA record 
data. The Social Security Administration and the Internal Revenue 
Service each require organizations to obtain and use the SSNs of 
individuals for various Federal program purposes. In principle these 
agencies should require such organizations to treat the SSN with the 
same confidentiality as the Social Security Administration does. 
Regrettably, however, there appears to be no legal authority to 
support the imposition of such a requirement. Recommendation (8) 
would establish such authority. 

Recommendation (8), coupled with recommendations (1) and 
(3) (pp. 125-126, above), would also diminish the risk of nuisance, 
frustration, and possible serious disadvantage resulting from the use 
of an individual’s SSN to impersonate him. One use of the SSN that 
appears to be proliferating is as a password, Or authenticator of 
identity, when an individual’s name alone is thought insufficient, 
e.g., in credit-card purchasing and check-cashing. Such use is not 
necessary, just convenient, and can be risky, since the widespread 
circulation of SSNs makes them increasingly ascertainable by 
anyone wishing to impersonate another. 

An example from our own experience will illustrate the problem. 
We met on a Saturday in a conference room in a government fa- 
cility. Security procedures required us to give names and SSNs from 
a telephone located outside the locked main entrance to a guard 
who was out of sight inside the building. The guard had earlier been 
furnished with a list of our names and SSNs. Given the wide dis- 
semination of SSNs, we were impressed by how easily someone 
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could have impersonated any one of us to gain admittance to the 
building. 

One may treat this example lightly, but the principle is impot- 
tant. As long as the SSN of an individual can be easily obtained 
(some organizations list the SSNs of their employees or members in 
published rosters), both individuals and the organizations that use it 
as a password are vulnerable to whatever harm may result from 
impersonation. 

Recommendations (9) and (10) are intended to constrain the 
provision of “SSN services” by the Social Security Administration. 
The phrase, “SSN services,” is defined in the Social Security Num- 
ber Task Force Report as including 


enumeration, or issuing numbers to individuals who do not 
have them; validation, or confirming that the number an orga- 
nization has on file for an individual is the same as the number 
that appears for him in SSA records; correction, or supplying 
the proper number from SSA files when an individual has 
alleged an incorrect number; and identification, or supplying a 
number from SSA’s files to match a particular name, a name 
to match a number, or vice-versa [sic] .3 


¢ 


The Task Force report recommends that SSN services be pro- 
vided by the Social Security Administration (i) “to public and pri- 
vate organizations using the SSN for health, welfare, or educational 
purposes” and (ii) to facilitate research activities. 

Although we recognize the spirit of cooperation that prompted 
the Task Force position, we believe that the effect of the recom- 
mendations would unnecessarily spread use of the SSN. Our recom- 
mendations limit SSN services even more narrowly than the Task 
Force recommendations. 


We recommend 


(9) That the Social Security Administration provide “SSN 
services” to aid record keeping only to organizations or per- 
sons that are required by Federal law to obtain or record the 
SSN, and then only as necessary to fulfill the purposes for 
which the SSN is required to be obtained or recorded; and 


3 Op, cit. pp. 26-27 
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(10) That the Social Security Administration provide “SSN 
services” to aid research activities only when it can assure that 
the provision of such services will not result in the use of the 
SSN for record-keeping and reporting activities beyond those 
permitted under recommendation (9), and then only provided 
that rigid safeguards to protect the confidentiality of personal 
data, including the SSN, are incorporated into the research 


design. 


These recommendations distinguish between use of the SSN ne 
record-keeping purposes and its use for research activities. S : 
services must not be provided to aid an organization's recor - 
keeping, except to the extent necessary to enable the ei 
to fulfill requirements associated with its Federally imposed 9 
tions to collect and record the number. Our recommendation - 
would prohibit organizations from using the SSN beyond this lim! ; 
and the Social Security Administration would be obliged to perene 
from providing SSN services in cooperation with a violation of the 
prohibition. As an interim measure, the Social Security Administra- 
tion should limit SSN services as though recommendation (8) were 
in force. The limitation must apply to all cases, including requests 
from organizations that provide health, education, and welfare 
The effect of our recommendations may be illustrated by a voi 
discussed in the Social Security Number Task Force Report. a 
State mental health service requested SSN services from the ee 
Security Administration to enable it to use the SSN as the paen: 
identification number in a new computerized record-keeping A 
tem. It evidently wanted to use the number for general adminis 
trative record keeping; such a use is not legally required for 
Federal program purpose. The mental health service is eres a 
use the SSN to report the earnings and income taxes of i 4 Seite 
employees; it might also need to obtain and use the SSNs o a 
of its patients to comply with record-keeping cig bec stele Z : 
eral benefit programs mandated by the Social Security Act, ae 
Medicare. However, its Federally required SSN uses do not ex oe 
to using the SSN for all patient record keeping, and the me 


4Tbid., pp. 24-25. 
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health service can clearly create its own identification code to track 
patients. 

If the SSN Task Force recommendations were to be followed in 
this case, the Social Security Administration would provide SSN 
services to the mental health service for all its patient record keep- 
ing (to simplify the service’s reporting of unduplicated patient 
counts to HEW’s National Institute of Mental Health). Under our 
recommendation, by contrast, the Social Security Administration 
would not provide SSN services, and the SSN would, therefore, not 
be spread by various uses of mental health service records and thus 
become available for still other uses. 

Recommendation (10) recognizes the interest in providing SSN 
services in support of various kinds of evaluation and research activ- 
ities. There is no reason why this cannot be done without adding to 
the unnecessary spread of the SSN for record-keeping and data- 
processing activities or to SSN dissemination of the sort we wish to 
curtail. 

In the case discussed above, suppose that the State mental health 
service proposes to conduct studies of the effectiveness of its 
services, and that knowing the SSNs of its patients, and having SSN 
services, might help in some way. Lacking any Federal requirement 
to use the SSN for evaluation research, the mental health service 
could not compel disclosure of patients’ SSNs for that purpose. 
However, for all patients’ SSNs voluntarily disclosed with informed 
consent, our recommendation (10) would permit the Social Secu- 
rity Administration to provide SSN services. 


PROHIBITION OF NON-DATA-PROCESSING 
USES OF THE SOCIAL SECURITY NUMBER 


The SSN is sometimes used for a purpose having nothing to do 
with identification, record keeping, or data processing. While these 
uses do not directly contribute to unfair information practices, they 
have other undesirable effects. Consider these examples. 


e “Lucky number” contests in which an SSN is drawn, and its 
holder is awarded some prize. This is objectionable because it 
may induce people to try to obtain extra SSNs to increase 
their chances of winning, and because it trivializes the SSN. 
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e Various items of merchandise, such as wallets, sold with a 
number-bearing facsimile Social Security card enclosed. This is 
how one such sample number noted in Chapter VII® came to 
be used by more than five thousand people. There are un 
doubtedly other difficulties that have not yet come to light. 
We understand that such practices are abating as a result of 
years of intensive (and expensive) fieldwork by the Social Se- 
curity Administration which; however, has no legal authority 
to prevent them. . 
» “Skip-tracing” efforts in which, to quote a Social Security 
Administration manual, 
[debt or tracing organizations occasionally use special cor- 
respondence techniques to obtain information from an indi- 
vidual owing money. Some mail out postcards showing a 
false [SSN] and asking “Is this your Social Security num- 
ber? If not, call the number listed below to correct this 
matter.” 


i i j rac- 
This is blatantly deceptive and violates reputable business pre 
tice. It may also lead people to think that the Social Security 


Administration is somehow cooperating with skip-tracers. 


x 


Security Cards and SSNs tend to 
interfere with appropriate uses of the SSN and to confuse the aaa 
lic about its proper purposes. They also complicate the work of the 
Social Security Administration. Accordingly, we recommend 


Such spurious uses of Social 


(11) That specific and preemptive Federal legislation be en- 
acted prohibiting use of an SSN, or any number represented as 
an SSN, for promotional or commercial purposes. 


LS 


5 Note 4, p. 112, above. 


IX 


Action Agenda for the 


Secretary of Health, Education, 
and Welfare 


The charter directs us to specify the steps that must be taken to 
put our recommendations into effect. We have done so in this chap- 
ter. For each action outlined below, the chapter and pages of the 


report where the correspondin Pees 
ae g recommendation 
indicated. is discussed are 


Legislation 


We have made a number of recommendations that require the 
submission of legislative proposals to the Congress as follows. 


¢ To establish a code of fair information practice for ail auto- 
mated personal data systems maintained by agencies of the 
Federal government or by organizations within reach of the 
authority of the Federal government. The code should em- 
body safeguard requirements for both administrative systems 
and systems used exclusively for statistical Teporting and re- 
search, and should provide injunctive relief as well as civil and 
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penal sanctions for violation of the code [Ch. IV, pp. 50, 
53-64; Ch. V, pp. 86-87; Ch. VI, pp. 97-102]. 

e To establish protection against compulsory disclosure 
through legal process for identifiable personal data used 
exclusively for statistical reporting and research [Ch. VI, pp. 
102-106]: 

e To amend the Freedom of Information Act to require that 
an agency obtain the consent of an individual before disclosing 
data about him in identifiable form [Ch. IV, pp. 64-66]. 


e To protect individuals against unauthorized use of the So- 
cial Security number by providing that: 


(i) an individual shall have the right not to disclose his 
Social Security number unless specifically required to do so 
by Federal statute [Ch. VIII, pp. 125-126]; 


Gi) any oral or written request made to an individual for his 
Social Security number shall be accompanied by a clear 
statement of the legal basis for the request (Ch. VIII, 
pp. 125-126]; 

(iii) an individual shall have a right to redress if his lawful 
refusal to disclose his Social Security number results in the 
denial of a benefit, or the threat of such denial [Ch. VIII, 
pp. 125-126]; 


(iv) any organization or person required by Federal law to 
obtain and record the Social Security number of an indi- 
vidual shall be prohibited from using or disclosing it without 
the individual’s informed consent, except as may be neces- 
sary to the Federal purposes for which the number was 
obtained and recorded [Ch. VIII, pp. 130-132]. 
e To prohibit any person or organization from using any So- 
cial Security number, or any number represented as a Social 


Security number, for promotional or commercial purposes 
[Ch. VII], pp. 134-135]. 


¢ To amend Section 609(a) of the Fair Credit Reporting Act 


(i) to give an individual the right to inspect personally the 
records that any consumer-reporting agency maintains 
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about him, and to copy their contents or have copies made 
[Ch. IV, pp. 66-70] ; 


(ii) to delete the exceptions from disclosure to an indi- 
vidual now permitted for medical information and sources 


of information used in investigative consumer reports [Ch. 
IV, pp. 70-71]. 


Action by the Secretary to initiate these legislative proposals 
should be taken in concert with the Attorney General, the Secre- 
tary of the Treasury, and the Chairman of the Federal Trade Com- 
mission, as appropriate. 


Administrative Action 


Many of our recommendations can be implemented by the issu- 
ance of regulations or administrative guidelines. 


Regulations should be issued: 


e To make applicable all the safeguard requirements for auto- 
mated personal data systems to all systems within the Depart- 
ment [Ch. IV, pp. 50-64; Ch.V, pp.85-87; Ch. VI, pp. 
95-102]. 

e To make applicable all the safeguard requirements for auto- 
mated personal data systems to all systems that can be reached 
through grant, contract, or other relations with the Depart- 
ment [Ch. IV, p. 50; Ch. V, p. 86; Ch. VI, p. 96]. 


e To amend the Department’s regulation under the Freedom 
of Information Act to provide that the consent of an indi- 
vidual shall be obtained before disclosing any data about him 
in identifiable form [Ch. IV, pp. 65-66]. 


Administrative guidelines should be issued: 


e Establishing procedures for rigorous and thorough evalu- 
ation of 


(i) any proposal to create or expand any automated per- 
sonal data system within the Department [Ch. IV, pp. 51-52]; 
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(ii) any proposal to use administrative personal data for 
statistical reporting or research [Ch. V, pp. 82-86] ; and 


(iii) any proposal that would tend to require the creation or 
expansion of an automated personal data system outside the 
Department in response to requirements or needs of pro- 
grams and activities of the Department [Ch. IV, p. 52]. 


e Requiring that a regulation, with notice of proposed rule 
making, be issued by the Department before taking any action 
that would tend to require a State, locality, or other grantee to 
create or expand an automated personal data system [Ch. IV, 
p. 52].. 


e Providing for the publication annually of a compilation of 
the public notices of all automated personal data systems 
maintained within the Department [Ch. IV, pp. 57-58; Ch. VI, 
pp. 99-101]. 


¢ Directing the Social Security Administration: 


(i) to undertake a positive program to issue Social Security 
numbers to ninth-grade students in schools, provided (a) 
that no school system be induced to cooperate in such a 
program contrary to its preference; and (b) that any person 
shall have the right to refuse to be issued a Social Security 
number in connection with such a program [Ch. VIII, 
127-128]; . 


(ii) to undertake no positive program of issuing Social Secu- 
rity numbers to children below the ninth-grade level [Ch. 
VIII, p. 128]; 


(iii) to limit affirmative measures taken to issue Social Se- 
curity numbers pursuant to subparagraph (B) (i) (ID of Sec- 
tion 205 (c) (2) of the Social Security Act, as amended by 
Section 137 of Public Law 92-603, to applicants for or 
recipients of public assistance benefits supported from Fed- 
eral funds under the Social Security Act [Ch. VIII, pp. 
128-130] ; 

(iv) to provide SSN services only to organizations or per- 
sons required by Federal law to obtain or record the Social 
Security number, and then only as necessary to fulfill the 
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health services delivery, public assistance, juvenile delinquency 
prevention, and community mental health; 


purposes for which the number is required to be obtained or 
recorded; or in aid of research activities whose design in- 
corporates rigid safeguards to protect the confidentiality of 
personal data, including the Social Security number [Ch. 
VIII, pp. 132-134]. 


» Encouraging the development of standards of ethical 
behavior and professional competence for data-processing 
personnel; 

(v) to monitor all future legislative proposals dealing with 
the Social Security number and to recommend actions to be 
taken by the Secretary to assure that such proposals will be 
enacted only after full and careful consideration in well 
advertised hearings that elicit substantial public participa- 
tion [Ch. VIII, pp. 129-130]. 


e Enhancing the capacity of the Federal government to design 
and develop computer-based record-keeping systems without 
reliance on outside specialists; 


e Monitoring the application of the safeguard requirements to 
determine whether they are having their intended effect and, 
most important, whether they are themselves a source of any 


Additiortal Action adverse social consequences; 


e Cooperating with the States in developing uniform State 
legislation to establish the recommended code of fair informa- 
tion practice for all automated personal data systems that 
would not be reached by Federal legislation. Among the orga- 


In addition to the steps necessary to put our recommendations 
into effect, there are some further steps the Department can take to 
assure that the goals of the recommendations are fully achieved. 


’ These include: 


e Communicating opposition to any proposal for the adop- 
tion of any nationwide, standard, personal identification 
format, with or without the SSN, that would enhance the 
likelihood of arbitrary or uncontrolled linkage of records 
about people, particularly between government or govern- 
ment-supported automated personal data systems; 


e Making comments on proposed Federal legislation having 
implications for personal privacy in record keeping which will 
seek to assure incorporation in such legislation of safeguard 
requirements of the kind recommended in this report for all 
automated personal data systems; 


« Encouraging attention in all forms of educational activity to 
the individual citizen’s stake in his personal privacy, to the 
practical exercise of his rights with respect to the records 
maintained about him, and to the social impact of computer- 
based record-keeping systems; 


e Supporting research on the use and impact of computer- 
based record-keeping systems in such areas as education, 


nizations through which such cooperation might be under- 
taken are the National Conference of Commissioners on 
Uniform State Laws, the Advisory Commission on Intergov- 
ernmental Relations, the Council of State Governments, the 
National Governors Conference, the National Legislative Con- 
ference, and the National Conference of State Legislative 
Leaders. 


e Urging the Office of Management and Budget to direct all 
Federal agencies to require their grantees and contractors to 
operate automated personal data systems with all the safe- 
guards we recommend for systems supported by the Depart- 
ment. In the interest of convenience and simplicity for grant- 
ees and contractors, the Office of Management and Budget 
might prescribe government-wide grant and contract condi 
tions incorporating the safeguard requirements we recom- 
mend, just as it now prescribes conditions in such areas as 
intergovernmental planning and financial management. While 
such action may not be feasible until there has been some 
experience in applying the safeguard requirements, we would 
expect to see the Department take a lead role in promoting 
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uniform, government-wide safeguard requirements for auto- 
mated personal data systems of Federal grantees and contrac- 
tors. 


Organizational Responsibility 


Responsibility for taking the actions necessary to implement our 
recommendations will have to be assigned to many officials of the 
Department who are already burdened with other duties. They will 
need guidance and assistance. The Secretary will need to designate 
someone who can devote substantial time and effort to assuring 
that these actions are taken in a timely and effective fashion. There- 
fore, an official in the Office of the Secretary should be given 
responsibility to serve as a combination advisor, monitor, and 
catalyst to assure that the concerns addressed in this report receive 
continuing attention, and specifically, to assure that automated per- 
sonal data systems within the Department, and within grantee and 
contractor agencies, are operated in accordance with the safeguards 
we recommend. This official should have adequate authority, staff, 
and support to conduct these activities effectively. 

This official should be directed to embark on a positive program 
of heightening concern within the Department for the issues raised 
in this report. This program should reach to all who now do, or are 
apt in the future, to use, direct, or contribute to the use or develop- 
ment of automated personal data systems, at all Civil Service grade 
levels and in all operating agencies. 


Immediate Action 


We expect that the Secretary may wish to have the report re- 
viewed by many key officials of the Department, including the 
heads of each of the Department’s operating agencies. Following 
such a review, a detailed plan to carry out the foregoing action 
agenda will have to be formulated. 
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Once such a plan has been adopted, responsibility will have to be 
assigned to someone to oversee its execution. To start this process 


we recommend that the Secretary: 


e Assign responsibility for distributing the report for review 
to the Executive Secretary of the Department, and 


e Assign responsibility for preparing a detailed plan to carry 
out the action agenda to an official in the Office of the 


Secretary. 


Appendices 


Appendix A 


Meetings and Activities of the Secretary’s Advisory 
Committee on Automated Personal Data Systems 
February 27,1972 - March 31, 1973 


The effective date of formation of the Committee was February 
27, 1972, the date on which former HEW Secretary Elliot L. 
Richardson approved its Charter. The Committee’s first meeting 
was held on April 17 and 18, 1972, at the Fogarty International 
Center, National Institutes of Health, Bethesda, Maryland. Prior to 
the second meeting of the Committee, Frances Grommers, M.D., of 
Boston, Massachusetts, was appointed Chairman. In Jaunary 1973, 
Dr. Grommers was succeeded as Chairman by Dr. Willis H. Ware of 
the Rand Corporation, Santa Monica, California. 

The names and affiliations of the individuals who made presen- 
tations to the Committee at its nine meetings are listed below. An 
unedited transcript of each meeting has been deposited in the 
Department of Health, Education, and Welfare Library. 


FIRST MEETING, APRIL 17-18, 1972 


David B.H. Martin, Special Assistant to the Secretary of HEW 
Explanation of background and aims of Committee. 


Gerald L. Davey, President and Chief Executive Officer, Medlab 
Computer Services, Inc. 


Discussion of record-keeping practices and use of Social 
Security number in credit-reporting industry. 
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James C. Impara, Administrator of Educational Accountability, SECOND MEETING, MAY 18-19, 1972 


Department of Education, State of Florida 


Explanation of high school student records data systems of 
State of Florida. 


Patricia J. Lanphere, Assistant Supervisor, Bureau of Services to 
Families and Children, Department of Institutions, Social and 
Rehabilitative Services, State of Oklahoma 


Explanation of data systems used by her department. 


Prof. Arthur R. Miller, Harvard Law School 


Discussion of the law of privacy. 


Robert A. Knisely, Chairman, Urban Information Systems Inter- 
agency Committee (USAC); Director, Division of Community Man- 
agement Systems, Department of Housing and Urban Development 


Discussion of integrated municipal information systems. 


Arthur E. Hess, Deputy Commissioner, Social Security Administra- 
tion, DHEW 


Discussion of use of the Social Security number and the 
confidentiality of Social Security Administration records. 


Thomas S. McFee, Deputy Assistant Secretary for Management 
Planning and Technology, DHEW 
Discussion of the procedures under the Federal Reports Act of 
1942 governing the collection of information by the Federal 
government. 


Carole W. Parsons, Staff Associate, Division of Behavioral Sciences, 
National Academy of Sciences — National Research Council 


Discussion of activities and organization of the NAS-NRC 
Advisory Committee on Problems of Census Enumeration. 


Gerald L. Boyd, Deputy Director, Office of Family Benefits Planning, 
DHEW 


Discussion of planning, with emphasis on data systems, for the 
administration of benefit programs proposed in H.R. 1 (welfare 
reform legislation). 


Bernard H. Kroll, Head, Section on Systems Design and Data 
Processing, Office of Biometry, National Institute of Neurological 
Diseases and Stroke (NINDS), National Institutes of Health, DHEW 


Discussion of the Perinatal Collaborative Study of NINDS. 


Anthony J.J. Rourke, Jr., M.D., Chief, Office of Clinical and 
Management Systems, Clinical Center, National Institutes of Health, 
DHEW 
Discussion of the Clinical Center’s automated personal data 
systems. 


Joseph D. Naughton, Chief, Computer Center Branch, Division of 
Computer Research and Technology, National Institutes of Health, 
DHEW 
Presentation of the National Institutes of Health Computer 
Center. 


Kenneth A. McLean, Professional Staff Member, Committee on 
Banking, Housing, and Urban Affairs, U.S. Senate 
Discussion of the Fair Credit Reporting Act. 


Mario L. Juncosa, Physical Sciences Department, The Rand Corpora- 
tion 

Rein Turn, Information Sciences and Mathematics Department, The 
Rand Corporation 


Discussion of current studies. by The Rand i on 
security of data systems. 
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Harry S. White, Jr., Associate Director, Center for Computer 
Standards, National Bureau of Standards, Department of Commerce 


Discussion of activities of the American National Standards 
Institute (ANSI) in development of standard for identification 
of individuals proposed by ANSI. 


Lawrence M, Baskir, Chief Counsel and Staff Director, Constitutional 
Rights Subcommittee, Committee on the Judiciary, U.S. Senate 


Discussion of the Subcommittee’s activities, concerns, and hear- 
ings on Federal Data Banks, Computers and the Bill of Rights. 


THIRD MEETING, JUNE 15-17, 1972 


Roye L. Lowry, Clearance Officer, Statistical Policy Division, Office 
of Management and Budget, Executive Office of the President 


Thomas §. McFee, Deputy Assistant Secretary for Management Plan- 
ning and Technology, DHEW 


Arthur Benner, Chief, Forms and Records Management Section, 
Division of Operating Facilities, Office of Administration, Social 
Security Administration, DHEW 


Discussion of the procedures under the Federal Reports Act of 
1942 governing the collection of information by the Federal 
government. 


Michael A. Liethen, Office of the Chancellor — Legal Counsel, 
University of Wisconsin, Madison 
Discussion of record-keeping activities of the University of 


Wisconsin, Madison. 


Walter M, Carlson, Corporate Marketing Consultant, International 
Business Machines Corporation, and Past President of the Association 
for Computing Machinery 


Discussion of IBM’s data security program. 


Discussion of standard for identification of individuals proposed 
by the American National Standards Institute (ANSI). 
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Juan A. Anglero, Assistant Secretary for Planning and Development, 
Department of Social Services, Commonwealth of Puerto Rico 


Discussion of decentralization of data systems and the differen- 
tial impact of data systems according to socio-economic and 
ethnic status, 
Prof. Joseph Weizenbaum, Department of Electrical Engineering, 
Massachusetts Institute of Technology 


Discussion of linkages, centralization, and irreversible social con- 
sequences of data systems. 


Prof, Arthur R. Miller, Harvard Law School 


Discussion of the right of due process. 


Lois L. Elliott, Director, Management Information, Bureau of 

Education for the Handicapped, Office of Education, DHEW 
Discussion of the Uniform Migrant Student Record Transfer 
System. 


George Friedman, Assistant Bureau Director, Systems, Bureau of Data 
Processing, Social Security Administration, DHEW 
Discussion of data collection activities of the Social Security 
Administration, procedures for issuance of the Social Security 
number, and costs of maintaining data files. 


Gerald L. Davey, President and Chief Executive Officer, Medlab 
Computer Services, Inc. 


Outline of plans for proposed study of costs of creating and 
maintaining selected types of automated personal data systems. 


@ FOURTH MEETING, JULY 2426, 1972 


Earle P. Shoub, Deputy Director, Appalachian Laboratory for 
Occupational and Respiratory Diseases, Environmental Health Service, 
DHEW 

Edward J. Baier, Deputy Director, National Institute for Occupational 
Safety and Health, Health Services and Mental Health Administration, 
DHEW 


Discussion of the Morgantown, West Virginia Medical X-Ray 
Examination System. 
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Fred Sachs, Assistant Commissioner for Program Management, Reha- 
bilitation Services Administration, Social and Rehabilitation Service, 
DHEW 

Wesley Grier, Chief, Division of Program Surveys and Statistics, 
National Center for Social Statistics, DHEW 


Nathan Lesowitz, Chief, Statistical Branch, Rehabilitation Services 
Administration, Social and Rehabilitation Service, DHEW 


Discussion of the Vocational Rehabilitation Case Service Report 
System. 


Prof. Ithiel de Sola Pool, Department of Political Science, Massa- 
chusetts Institute of Technology 


Discussion of the -benefits and possible adverse consequences 
flowing from applications of the methods and tools of the social 
sciences, 


Dr. Robert R. J. Gallati, Director, New York State Identification and 
Intelligence System 


Adam D’Alessandro, Deputy Director, New York State Identification 
and Intelligence System 


Discussion of New York State Identification and Intelligence 
System (NYSIIS). 


Harry P. Cain Il, Director, Office of Program Planning and Evaluation, 
National Institute of Mental Health, Health Services and Mental 
Health Administration, DREW 


Irving Goldberg, Chief, Evaluation Studies Section, Biometry Branch, 
National Institute of Mental Health, Health Services and Mental 
Health Administration, DHEW 


Jean Warthen, Director, Center for Health Statistics, Maryland 
“Department of Mental Hygiene 


Discussion of the Maryland Psychiatric Case Register System. 
Allan Lichtenberger, Chief, Educational Data Standards Branch, 
National Center for Educational Statistics, DHEW 


John Putnam, Education Program Specialist,.Educational Data Stan- 
dards Branch, National Center for Educational Statistics, DHEW 
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Ivan N. Seibert, Education Program Specialist, Educational Data 
Standards Branch, National Center for Educational Statistics, DHEW 


Charles T. Roberts, Education Program Specialist, Educational Data 
Standards Branch, National Center for Educational Statistics, DHEW 


Discussion of Chapter 6 of Office of Education Handbook V, 
“Standard Terminology for Pupil Information in Local and 
State School Systems.” ~ 


St. John Barrett, Deputy General Counsel, DHEW 
William H. Small, Vice President, CBS News 


Samuel J, Archibald, Executive Director, Fair Campaign Practices 
Committee, Inc. 


Discussion of the Freedom of Information Act. 
Marvin Schneiderman, Acting Associate Scientific Director, Demog- 
raphy, National Cancer Institute, National Institutes of Health, DHEW 


Harvey Geller, Head, Special Cancer Survey Section, Biometry 
Branch, National Cancer Institute, National Institutes of Health, 
DHEW 


Theodore Weiss, Head, Automatic Data Processing Management 
Section, Biometry Branch, National Cancer Institute, National Insti- 
tutes of Health, DHEW 


Discussion of Third National Cancer Survey. 
Julius Shiskin, Chief Statistician, Office of Management and Budget, 
Executive Office of the President 


Joseph Waksberg, Associate Director for Statistical Standards and 
Methodology, Bureau of the Census, Department of Commerce 


John J. Carroll, Assistant Commissioner for Research and Statistics, 
Social Security Administration, DHEW 


Harold Nisselson, Assistant Director for Research, National Center for 
Educational Statistics, DHEW 


Sigmund Schor, Director, National Center for Social Statistics, DHEW 


Walt R. Simmons, Assistant Director for Research and Scientific 
Development, National Center for Health Statistics, DHEW 


Discussion of federal statistical programs. 
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FIFTH MEETING, AUGUST 17-19, 1972 


Alan E, Taylor, President, The Society of Certified Data Processors 
Observations on the different patterns of accuracy and ade- 
quacy in automated data systems. 

Harry V. Chadwick, Deputy Director, Indian Health Service, Health 

Services and Mental Health Administration (HSMHA), DHEW 


Alfred E. Garratt, Ph.D., Chief, Office of Management Information 
Systems, Health Program Systems Center, Indian Health Service, 
HSMHA, DHEW 


Rice Leach, M.D., Director, Indian Health Service Unit, Sells, Arizona 
Discussion of the Indian Health Service Health Information 
System. 

F. M. Wilkerson, Vice President for Data Services, Trans World 

Airlines 
Discussion of the Trans World Airlines Reservation System. 

Richard J. Gwin, Director General, Socio-Economic Planning, Depart- 

ment of Communications, Government of Canada 
Discussion of Canadian perspectives on automated personal data 


systems and privacy. 


David B. H. Martin, Special Assistant to the Secretary and Executive 
Director, Secretary’s Advisory Committee on Automated Personal 
Data Systems, DHEW 


Briefing on DHEW organizational structure and functions. 
Inspector Donald R. Roderick, National Crime Information Center, 
Federal Bureau of Investigation 


Special Agent Dennis Lofgren, National Crime Information Center, 
Federal Bureau of Investigation 


Discussion of the National Crime Information Center of the FBI. 


William Simmons, Director, Student Loan Program, Bureau of Higher 
Education, Office of Education, DHEW 
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Harry Lester, Branch Chief, General Education Data Systems, Division 
of Automated Data Processing, Office of Education, DHEW 

Alice Hansen, Chief, Reports and Analysis, Division of Insured Loans, 
Bureau of Higher Education, Office of Education, DHEW 


Carol Wennerdahl, Administrative Director, [linois Guaranteed Loan 
Program ; 
Discussion of the Guaranteed Student Loan Program. 


Walter L. Schlenker, Chairman, Genera! Electric Corporate Informa- 
tion Standards and Codes Committee, General Electric Company 


Emmet E. DeLay, Manager, Informations Systems Operations, Gen- 
eral Electric Credit Corporation 


Discussion of individual identifiers for automated personal data 
systems. 


Donald Roache, Acting Assistant Administrator, Program Statistics 
and Data Systems, Social and Rehabilitation Service, DHEW 


William E., Cleaver, Senior Computer Systems Analyst, Division of 
State Systems Management, Social and Rehabilitation Service, DHEW 


Harry Overs, Assistant Bureau Director, Bureau of District Office 
Operations, Division of Operating Policies and Procedures, Social 
Security Administration, DHEW 

Richard K. M. Bridges, Assistant Director, Assistance Payments Unit, 
Division of Family and Children Services, Department of Human 
Resources, Atlanta, Georgia 

Paul A. Skelton, Director, Division of Administrative Services, 
Department of Health and Rehabilitative Services, Tallahassee, Florida 


Discussion of Social and Rehabilitation Service proposed regula- 
tions on the use of the Social Security number. 


Sheila M. Smythe, Executive Associate, Blue Cross-Blue Shield, and 
Chairman, ANSI Committee X 3L8.3—Individual and Business 
Identifications 

Albert C. Kocourek, Data Processing Manager, Rouse Corporation, 
and Chairman, Unprofessional Practices Committee, The Society of 
Certified Data Processors 


Discussion of the proposed ANSI standard on identification of 
individuals for information interchange. 
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Paul Fisher, Chief, International Staff, Office of Research and 
Statistics, Social Security Administration, DHEW 


Discussion of data systems for social insurance programs in 
foreign countries. 


SIXTH MEETING, SEPTEMBER 28-30, 1972 


Joseph €. Wilberding, Executive Director and General Counsel, 
Medical Information Bureau (M.1.B.), Greenwich, Connecticut 


Discussion of the M.I.B. information system. 


A. Neil Pappalardo, Vice President, Medical Information Technology, 
Inc., Cambridge, Massachusetts 


Discussion of Meditech’s medical information systems. 


William F. Atchison, Director, Computer Science Center, University 
of Maryland, College Park, Maryland; Chairman, Education Board of 
the Association for Computing Machinery; and Chairman, Working 
Group on Secondary Education in Computers, International Federa- 
tion of Information Processing Societies 


Truman Botts, Executive Director, Conference Board of the Mathe- 
matical Sciences, Washington, D.C. 


Peter G. Lykos, Program Director, Computer Impact on Society, 
National Science Foundation, Washington, D. C. 


Seymour A. Papert, Professor of Mathematics and Co-Director, 
Attificial Intelligence Laboratory, Massachusetts Institute of Technol- 
ogy 
Discussion of education regarding computers and their impact 
on society. 


John N. Williamson, Ed.D., Research Specialist, The Rand Corpora- 
tion, Washington, D. C. 


Presentation and demonstration of REACT (Relevant Educa- 
tional Applications of Computer Technology), course segment 
entitled “The Social Impact of Computers,” 


Richard T. Penn, Jr., Program Manager, Technical Analysis Division, 
National Bureau of Standards, Washington, D. C. 


Dr. Alfred Blumstein, Director, Urban Systems Institute and Profes- 
sor, Urban Systems and Operations Research, School of Urban and 
Public Affairs, Carnegie-Mellon University, Pittsburgh, Pennsylvania 
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David Storm, Assistant Vice President, First National City Bank, New 
York, New York 

Robert R. J. Gallati, Director, New York State Identification and 
Intelligence System, Albany, New York 


David Link, Associate Dean, Notre Dame Law School, and Chairman, 
Committee on Science and Technology, American Bar Association 


Larry P. Polansky, Deputy Chief Court Administrator, Common Pleas 
Court of Philadelphia, Philadelphia, Pennsylvania 
Chief Judge Harold H. Greene, Superior Court of the District of 
Columbia 

Discussion of court record-keeping practices. 


William M. Adams, Associate Director, Operations and Automation 
Division, American Bankers Association, Washington, D.C. 


Charles Borsom, Executive Vice President, National Society of 
Controllers and Financial Officers, Chicago, Hlinois 

Richard W. Freund, Vice President, First National City Bank, New 
York, New York 


Kenneth A. McLean, Professional Staff Member, Banking, Housing, 
and Urban Affairs Committee, United States Senate 


Discussion of personal data systems in financial institutions. 
Andrew O. Atkinson, Superintendent, Regional Computer Center, 
Cincinnati/Hamilton County , Ohio 


William Mitchel, Senior Consulatant, Claremont Graduate School, 
Claremont University, Claremont, California 


Selma J. Mushkin, Professor of Economics, and Director, Public 
Services Laboratory, Georgetown University, Washington, D.C. 


Charles R. Rowan, Executive Director, National Association for State 
Information Systems, Englewood, Colorado 


Myron E. Weiner, Associate Extension Professor, Institute of Public 
Service, University of Connecticut, Storrs, Connecticut 


Discussion of state and municipal information systems. 


SEVENTH MEETING, NOVEMBER 9-11, 1972 


Ralph Abascal, Managing Attorney, Law Reform Unit, San Francisco 
-Neighborhood Legal Assistance Foundation 


Discussion of the “California Earnings Clearance System.” 
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John Shattuck, Staff Counsel, American Civil Liberties Union 
(ACLU) 


Ira Glasser, Executive Director, New York Civil Liberties Union 
Frank Donner, Research Director, ACLU Surveillance Project 
Discussion of individual cases concerning automated personal 
data systems which have come to the attention of the ACLU. 
William H. Corbett, Private Citizen 
Discussion of a problem with multiple issuance of social security 


numbers. 


Otilio Mighty , Director, Veteran’s Affairs, New York Urban League 


Joe Garcia, Executive Director, Seattle Veterans Action Center 
Discussion of veterans’ perspectives on automated personal data 
systems. 

Gordon Manser, Associate Director, National Assembly for Social 

Policy and Development, Inc. 


Eloise Waite, National Director for Services to Military Families, 
American Red Cross, and Chairman, Committee on Confidentiality of 
the National Assembly for Social Policy and Development, Inc. 


Discussion of the National Assembly’s Committee on Confiden- 
tiality and the responsibilities of voluntary social service 
agencies to their clients and funding sources. 


Mary Drabik Norman Matthews, and Kenneth William, People Against 
National Identity Cards (PANIC), Cambridge, Massachusetts 


Discussion of PANIC’s position on the Social Security number 
as a unique, universal personal identifier, 


EIGHTH MEETING, DECEMBER 15-16, 1972 


Robert M. Ball, Commissioner, Social Security Administration, DHEW 


Discussion of policy issues raised by spread in the use of the 
Social Security number as a personal identifier. 
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NINTH MEETING, MARCH 1-3, 1973 


No presentations. Meeting devoted exclusively to review of draft 
final report... 


Other Organizations Contacted by the Committee 


In September 1972, the Committee wrote to approximately 250 
public interest groups and trade and professional associations 
seeking information about parallel studies and fact-finding efforts. 
Approximately 110 replied; of those, about half expressed strong 
interest in the Committee’s work and 22 provided copies of 
completed studies or policy statements dealing with the handling of 
records about identifiable individuals. The organizations contacted 
by the Committee are listed below. 


*American Anthropological Association 

American Association for the Advancement of Science 
American Association for Maternal and Child Health 
American Association of Retired Persons 

American Association of School Administrators 
American Association of State Colleges and Universities 
American Association of University Professors 
American Association of University Women 

American Association on Mental Deficiency 

American Bankers Association 

American Bar Association 

American Cancer Society 

American Civil Liberties Union of New York . 
American Civil Liberties Union of Northern California 
American Civil Liberties Union of Oregon 

American Civil Liberties Union of Southern California 
American Civil Liberties Union of Texas 

American Collectors Association 

American College Admissions Center 

American Compensation Association 

American Correctional Association 


* Sent copies of completed studies or policy statements. 
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American Council on Consumer Interests 

* American Council on Education 

American Dental Association 

American Economic Association 

American Federation of Government Employees 

American Federation of Information Processing Societies 

AFL-CIO 

American Federation of State, County, and Municipal Employees 

American Federation of Teachers 

American Finance Association 

American Friends Service Committee 

* American Hospital Association 

American Institute of Architects 

American Institute of Certified Public Accountants 

American Institute of Planners 

*American Institutes for Research 

American Insurance Association 

American Library Association 

American Management Association 

American Marketing Association 

American Medical Association 

American Medical Record Association 

American National Standards Institute 
American National Standards Committee 239, 
Library Work, Documentation and Related Publishing Practices 

American Newspaper Publishers Association 

* American Nurses’ Association 

American Nursing Home Association 

American Personnel and Guidance Association 

American Pharmaceutical Association 

American Political Science Association 

American Psychiatric Association 

* American Psychological Association 

American Public Health Association 

American Public Welfare Ass iation 


* Sent copies of completed studies or policy statements. 
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American Retail Association Executives 
American Schoo) Health Association 

American Society for Industrial Security 
American Society for Information Science 
American Society for Personnel Administration 
American Society for Public Administration 


‘ American Society of Newspaper Editors 


*American Sociological Association 
American Statistical Association (ASA) 
ASA, Southern California Chapter 
Americans for Democratic Action 
Americans for Indian Opportunity 
Associated Credit Bureaus, Inc. 
Association for Computational Linguistics 
Association for Computing Machinery 
Special Interest Group on Computers and Society 
Biomedical Computing Society 
Joint Users Group 
Association for Systems Management 
Association of American Colleges 
Association of American Law Schools 
* Association of American Medical Colleges 
Association of American Publishers 
Association of American Universities 
* Association of Computer Programmers and Analysts 
* Association of Data Processing Service Organizations 
Association of Governing Boards of Universities and Colleges 
Association of Independent Software Companies 
Association of Private Pension and Welfare Plans, Inc. 
Association of Schools of Allied Health Professions 
Association of Schools of Public Health 
Association of Social and Behavioral Scientists 
Association of Volunteer Bureaus of America 


Bank Administration Institute 

Blue Cross Association 

Brookings Institution 

Bureau of Applied Social Research, Columbia University 
Business Equipment Manufacturers Association 


* Sent copies of completed studies or policy statements. 
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California Bankers Association 

California Rural Legal Assistance 

California State College Student Presidents Association 
California State Department of Education 
Center for Ethnic Affairs 

Center for Law and Social Policy 

Center for the Study of Democratic Institutions 
Chamber of Commerce of the United States 
*Child Welfare League of America 

Church Women United 

College Entrance Examination Board 

College Placement Council 

Committee for Public Justice 

Common Cause 

Communications Workers of America 
Community Action Council 

Computer Industry Association 

Computer Lessors Association 

*Computer Science and Engineering Board, National Academy of 

Sciences 

Congress on Racial Equality 

Consumer Credit Insurance Association 
Consumer Education and Protective Association 
Consumer Federation of America 

Council for Financial Aid to Education 

Council of Chief State School Officers 

Council of Graduate Schools in the United States 
Council of State Governments 
Council on Consumer Information 
Council on Social Work Education, Inc. 
Credit Research Foundation 


*Data Processing Management Association 
Daughters of the American Revolution 


Educational Development Center, The Claremont Colleges 
*Educational Testing Service 


* Sent copies of completed studies or policy statements. 
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Family Service Association of America 
Freedom of Information Center, University of Missouri at Columbia 


Group Health Association of America, Inc. 
Guidance for Users of Integrated Data Processing Equipment 


HADASSAH 
Health Insurance Association of America 
Health Insurance Institute 


Information Industry Association 

Institute for Computer Research 

Institute for Policy Studies 

Institute for Public Interest Representation, Georgetown 

University Law Center 
*Institute for Social Research, University of Michigan 
Institute of Criminal Law and Procedure, Georgetown University 
Law Center 

Institute of Electrical and Electronic Engineers 

Institute of Life Insurance 

Institute of Management Sciences 

Institute of Mathematical Statistics, Michigan State University 

institute of Public Administration 

Institute on Law and Urban Studies 

International Association for Identification Records and Identifi- 
cation 

International Association of Consumer Credit Administrators 

International Association of Machine Workers 

International Brotherhood of Electrical Workers 

International Brotherhood of Teamsters, Chauffeurs, and Ware- 
housemen of America 

International City Management Association 

International Consumer Credit Association 

International Ladies Garment Workers Union 

International Union. of Electrical, Radio and Machine Workers 


* Sent copies of completed studies or policy statements. 
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Interstate Commission on Status of Women 
Inter-University Consortium for Political Research 


Joint Media Committee 


*Lawyers Committee for Civil Rights Under Law 
League of United Latin American Citizens 
League of Women Voters 

*League of Women Voters (Illinois) 

Life Office Management Association 


Mountain States Regional Medical Program 
Mutual Insurance Advisory Association 


*National Accreditation Council for Agencies Serving the 
Blind and Visually Handicapped 
*National Assembly for Social Policy and Development, Inc. 
National Association for Advancement of Colored People 
National Association for Statewide Health and Welfare 
National Association of Broadcasters 
National Association of Consumer Credit Administrators 
National Association of Counties 
National Association of Credit Management 
National Association of Manufacturers 
National Association of Mutual Savings Banks 
National Association of Negro Business and Professional Women’s 
Clubs, Inc. 
National Association of Social Workers 
National Association of State Universities and Land Grant Colleges 
National Association of Women’s Deans and Counselors 
National Bureau of Standards, Institute for Applied Technology 
National Catholic Educational Association 
*National Center for Higher Education and Management Systems 
National Committee for Children and Youth 
National Committee on the Education of Migrant Children 
National Conference of Black Lawyers 
National Conference of State Social Security Administrators 
National Conference on Social Welfare 


* Sent copies of completed studies or policy statements. 
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National Congress of American Indians 
National Congress of Parents and Teachers 
National Consumers League 

National Council of Health Care Services 
National Council of Negro Women, Inc. 
National Council of Senior Citizens 


. National Council of State Education 
.*National Council on Crime and Delinquency 


*National Education Association 

National Emergency Civil Liberties Committee 
National Federation of Business and Professional Women’s Clubs 
National Federation of Federal Employees 
National League of Cities 

*National League for Nursing 

National Legal Aid and Defender Association 
National Municipal League 

National Opinion Research Center 

National Rehabilitation Association 

National School Boards Association 

National Small Business Association 

National Student Association 

National Student Lobby 

National Tenants Organization 

National Urban Coalition 

National Urban League 

National Welfare Rights Organization 
*Neighborhood Health Center Seminar Program (OEO) 
Neighborhood Legal Services 

New York Bar Association 

New York State Education Department 
Newspaper Guild 


Ohio State Bar Association 


People Against National Identity Cards 

Planned Parenthood-World Population (Planned Parenthood 
Federation of America, Inc.) 

Political Data Archive, Michigan State University 

Political Science Laboratory and Data Archive, Indiana University 


* Sent copies of completed studies or policy statements. 
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Population Association of America 
Professional Women’s Caucus 
Public Services Laboratory, Georgetown University 


Regional Social Science Data Archive, University of Iowa 
Rhode Island Consumers’ Council 
Rhode Island Council of Community Services, Inc. 


Seafarers International Union of North America 

Seattle Veterans Action Center 

Sigma Delta Chi 

Simulations Councils, Inc. 

Social Data Exchange Association 

Social Science Data Archive, Survey Research Laboratory, Univer- 
sity of Illinois 

Social Science Data Center, University of Connecticut 

Social Science Data Center, University of Pennsylvania 

Social Science Information Center, University of Pittsburgh 

Social Science User Service, Princeton University 

Society for Information Display 

Society for Personnel Administration 

Society of Data Educators 

Southern Christian Leadership Conference 

Student American Medical Association 

Student National Coordinating Committee 

Survey Research Center, University of California at Berkeley 


Travelers Aid, International Social Service of America 


United Automobile, Aircraft and Agricultural Implement Workers 
of America 

U.S. Conference of Mayors 

United Steel Workers of America 

Unitarian Universalist Association 

UNIVAC Users Association 

University Legal Services 


Virginia Bureau of Vital Records and Public Health Statistics 


Western Electronic Manufacturers Association 
Women’s Action Alliance 
Women’s Equity Action League 


Appendix B 


“Computers and Privacy”: 
The Reaction in Other Countries 


Common Concerns 


Most of the advanced industrial nations of Western Europe and 
North America share concerns about the social impact of com- 
puter-based personal data systems. Although there are minor 
differences in the focus and intensity of their concerns, it is clear 
that there is nothing peculiarly American about the feeling that the 
struggle of individual versus computer is a fixed feature of modern 
life. The discussions that have taken place in most of the industrial 
nations revolve around themes that are familiar to American 
students of the problem: loss of individuality, loss of control over 
information, the possibility of linking data banks to create dossiers, 
rigid decision-making by powerful, centralized bureaucracies. Even 
though there is little evidence that any of these adverse social 
effects of computer-based record keeping have occurred on a 
noticeable scale, they have been discussed seriously since the late 
sixties, and the discussions have prompted official action by many 
governments as well as by international organizations. 

Concern about the effects of computer-based record keeping on 
personal privacy appears to be related to some common character- 
istics of life in industrialized societies. In the first place, industrial 
societies are urban societies. The social milieu of the village that 
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allowed for the exchange of personal information through face-to- 
face relationships has been replaced by the comparative imperson- 
ality of urban living. Industrial society also demands a much more 
pervasive administration of governmental! activities—the collection 
of taxes, health insurance, social security, employment services, 
education—many of which collect and use personal data in an 
impersonal way. Nor should we overlook the increasing uniformity 
of industrial societies fostered by mass communications media so 
efficient that few issues of genuine interest and importance fail to 
achieve near-global extent. 

Concern about the effects of computer-based record keeping 
appears to have deep roots in the public opinion of each country, 
deeper roots than could exist if the issues were manufactured and 
merchandised by a coterie of specialists, or reflected only the views 
of a self-sustaining group of professional Cassandras. The fragility of 
computer-based systems may account for some of the concern. It is 
not necessary for public opinion to be unanimously opposed to the 
computerization of personal-data record keeping, or even actively 
mistrustful of it, to destroy the effectiveness of a record-keeping 
operation. The active opposition of even a few percent of those 
whom a system means to serve can cripple the powerful, but fragile, 
mechanism of a highly automated system. 

Nor is it necessary for this opposition to be manifested in 
physical sabotage of the computer itself (although that has 
happened); it is enough merely to withhold cooperation. There are 
few computer systems designed to deal with the disruption that 
deliberately lost or mutilated punched cards in a billing system—to 
give a simple example—would cause. Thus, the very vulnerability of 
automated personal data systems, systems without which no 
modern society could function, may make careful attention to the 
human element transcend national boundaries. 


The Response in Individual Nations 


WEST GERMANY 


On October 7, 1970, the West German State of Hesse adopted 
the world’s first legislative act directed specifically toward regulat- 
ing automated data processing. This “Data Protection Act” applies 


so 
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to the official files of the government of Hesse; wholly private files 
are specifically exempted from control. The Act established a Data 
Protection Commissioner under the authority of the State parlia- 
ment whose duty it is to assure that the State’s files are obtained, 
transmitted, and stored in such a way that they cannot be altered, 
examined, or destroyed by unauthorized persons. The Commis- 
sioner is also explicitly responsible for observing the effects of 
automated data processing on the operations of the State govern- 
ment, and on its decision-making powers. He must take particular 
note of whether computerization leads to any displacement in the 
distribution of powers among the governmental bodies of the State. 

Thus, the Data Protection Act of Hesse seems designed more to 
protect the integrity of State data and State government than to 
protect the interests of the people of the State. As a pioneer statute 
in the field of computer law, however, its exact practical effects 
could scarcely have been predicted, and in no way diminish its 
usefulness as a guide for other jurisdictions that can learn from the 
Hesse experience. 

To judge from the second annual report of the Data Protection 
Commissioner, that experience has been one of mild philosophical 
frustration, punctuated by occasional practical victories.! In one 
instance, the Commissioner learned of the existence of a computer 
in a university clinic only through a newspaper account of a fire; in 
another the Commissioner successfully blocked the release of 
criminal records to a private research center. 

Based on the experience of Hesse, the States of Rheinland-Pfalz 
and Hamburg have passed similar acts, and the States of Baden- 
Wiirttemberg, Schleswig-Holstein, Bavaria, and Lower Saxony have 
adopted slightly more circumscribed laws or regulations, At the 
Federal level, the Bundestag has considered a number of proposals 
for national laws of wider scope than any of the present State laws, 
but the estimated costs to data holders of complying with the 
proposed requirements for mandatory disclosure of data have thus 
far raised enough objections to cause the Bundestag to reconsider 


1 Federal Republic of Germany, State of Hesse, Hessischer Landtag, Vorlage des 
Datenschutzbeauftragten (Report of the Data Protection Commissioner), Document 
7/3137, 29 March 1973. Reviewed in Frankfurter Allgemeine Zeitung fur Deutschland, 18 
April 1973; English version of review in The German Tribune, No. 578, 10 May 1973, p. 
3. 
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those requirements. It seems likely, however, that some version of a 
relatively strong law will be passed during 1973. 


SWEDEN 


When strong opposition to the 1969 census erupted in Sweden, 
public mistrust centered not so much on the familiar features of the 
census itself as on the fact that, for the first time, much of the data 
gathering would be done in a form specifically designed to facilitate 
automated data processing. Impressed by the possibility that 
opposition might be so severe as to invalidate the entire census, the 
government added the task of studying the problems of computer- 
ized record keeping to the work of an official commission already 
studying policies with respect to the confidentiality of official 
records. 

After a notably thorough survey of persona! data holdings in 
both public and private systems, the commission issued a report 
containing draft legislation for a comprehensive statute for the 
regulation of computer-based personal data systems in Sweden.? 
The aim of the act is specifically the protection of personal privacy. 
Its key provisions are these: 


e Establishment of an independent “Data Inspectorate,” 
charged with the responsibility for executing and enforcing the 
provisions of the Data Law. 


e No automated data system containing personal data may be 
set up without a license from the Data Inspectorate. 


e Data subjects have the right to be informed about all uses 
made of the data about them, and no new use of the data may 
be made without the consent of the subject. 


e Data subjects have the right of access without charge to all 
data about them, and if the data are found to be incorrect, 
incomplete, or otherwise faulty, they must either be corrected 
to the subject’s satisfaction, or a statement of rebuttal from 
the subject must be filed along with the data. 


2Sweden, Justice Department, Data och integritet (Data and Privacy), Document SOU 
1972:47 (Stockholm: Alm&nna Fdrlaget), 1972. 
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e The Data Inspectorate will act as ombudsman in all matters 
regarding automated personal data systems. 


The Data Law has been passed by the Swedish Parliament and 
will become effective on July 1, 1973. A transition period of one 
year will be allowed to implement all the provisions of the law. 


FRANCE 


Article 9 of the French Civil Code states plainly, “Everyone has 
the right to have his private life respected.” As legal scholars in all 
countries have noted, however, it is very difficult to define the 
precise limits of privacy in every case that comes before a court, 
and in spite of such explicit protection, the privacy of the French, 
both inside and outside of automated personal data systems, seems 
in practice no better defended than that of most other people. 

Although concer about the issue of “computers and privacy” 
has frequently surfaced in the French press* and in data-processing 
periodicals’ , public interest in the subject is not deeply engaged. 
One bill has been introduced in Parliament, but was withdrawn 
pending completion of a study jointly sponsored by the Depart- 
ment of Justice and the Délégué & 1’Informatique. An earlier study 
by the staff of the Conseil d’Etat seems to have influenced the 
proposed bill, but the legal and administrative implications of many 
of the features of the proposal appear never to have been carefully 
developed.® 

One other development on the French scene deserves mention. 
The 1972 annual report of the Supreme Court of Appeals went 
considerably out of its way, after reviewing a case of literary 
invasion of privacy, to comment on the subject of computers and 


privacy: 


3“The Protection of Privacy,” International Social Science Journal, XXIV, No. 3, 
1972, p. 448. 

4 Le Monde, November 29, 1972, pp. 20-21, for example. 

5 Informatique, April, 1971 (entire issue). 

‘France, Conseil d’Etat, Rapport Annuel- 1969-1970, 3iéme Parties, 2ieme ¢tude, 
Fascicule 3, “Les conséquences du développment de !’informatique sur les libertés publi- 
ques et privées et sur les décisions administratives,” Paris, 1970. 
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... The progress of automation burdens society in each 
country with the menace of a computer which would 
centralize the information that each individual is obliged to 
furnish in the course of his life to the civil authorities, to his 
employer, his banker, his insurance company, to Internal 
Revenue, to Social Security, to’ the census, to university 
administrations, and, in addition, the data, correct or not, 
which is received about him by the various services of the 
police. When one thinks about the uses that might be made of 
that mass of data by the public powers, of the indiscretions of 
which that data might be the origin, and of the errors of which 
the subjects might be the victims, one becomes aware that 
there \ies a very important problem, not only for the private 
life of everyone, but even for his very liberty. 


It appears to us that this eventuality, an extremely prob- 

able one, ought to be made the object of consideration of 

the public power, . . .and that this consideration should take 

its place among the measures of precaution and of safeguard 

which should not lack for attention.’ 

To sum up, the situation in France is complex. The subject of 
computers and privacy has been given serious attention by a 
relatively small group of experts, but that group has an influence in 
government far out of proportion to its numbers. The attitude of 
the present government is strongly colored by another aspect of the 
privacy problem: It has been caught in a wiretap scandal, and its 
defensiveness in that regard appears to be influencing its actions on 
the computer front. The official report of the present working 
group is due before the end of 1973, but it does not seem realistic 
to expect that there will be any definitive action in France before, 
perhaps, mid-1974. 


7France, Cour de Cassation, Rapport de la Cour de Cassation, Année Judiciare 
1971-1972 (Paris: La Documentation Francaise), 1972, p. 16. 
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GREAT BRITAIN 


Britain is unique among the countries reviewed in having recently 
completed a thorough study of the entire subject of privacy.® 
Although the committee in charge of the study, the Younger Com- 
mittee, was restricted in its terms of reference to private, rather 
than public, organizations that might threaten privacy, the com- 


|. mittee’s report is a model of clarity and concern. In brief, the 


Committee found that both the customs of society and the Com- 
mon law had evolved. defenses against the traditional intrusions of 
nosey neighbors, unwelcome visitors, door-to-door salesmen, and 
the like. Against the new threats of technological intrusions—wire- 
taps, surveillance cameras, and, of course, computerized data 
banks—the Committee recognized that the traditional defenses are 
inadequate. To help deal with the threat of the computer, the Com- 
mittee recommended specific safeguards to be applied to automated 
personal data systems, although it left the method of application up 
to the government to decide. The main features of the safeguards 
are: 

1. Information should be regarded as held for a specific 
purpose and not to be used, without appropriate authoriza- 
tion, for other purposes. 

2. Access to information should be confined to those 
authorized to have it for the purpose for which it was 
supplied. 

3. The amount of information collected and held should 
be the minimum necessary for the achievement of the 
specified purpose. 

4. In computerized systems handling information for 
statistical purposes, adequate provision should be made in 
their design and programs for separating identities from the 
rest of the data. 

5. There should be arrangements whereby the subject 
could be told about the information held concerning him. 


’Great Britain, Home Office, Report of the Committee on Privacy, Rt. Hon. Kenneth 
Younger, Chairman (London: H. M. Stationery Office), 1972. 
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6. The level of security to be achieved by a system should 
be specified in advance by the user and should include 
precautions against the deliberate abuse or misuse of informa- 
tion. 

7. A monitoring system should be provided to facilitate 
the detection of any violation of the security system. 

8. In the design of information systems, periods should be 
specified beyond which the information should not be 
retained. 

9. Data held should be accurate. There should be ma- 
chinery for the correction of inaccuracy and the updating of 
information. 

10. Care should be taken in coding value judgments.? 


The Younger Committee also considered proposing specific 
legislation for automated personal data systems, based upon draft 
bills that had been submitted to Parliament before the Committee 
was formed. After concluding that the proposed laws were too 
constraining to be justified by the level of threat as the Committee 
saw it, the Committee reserved the option to recommend legislation 
at a later date, and confined its present recommendation to urging 
that the data-processing industry voluntarily adopt the safeguards as 
a code of good practice. This has now been accomplished in the 
form of a professional code adopted by the British Computer So- 
ciety.!° Although only about one third of the computer profes- 
sionals in Britain belong to the Society, those who do belong are, 
by and large, in a position to enforce the provisions of the code. 
Further regulation appears to be in the early stages of Parliamentary 
debate, and it is likely only a question of time until safeguards with 
the full effect of law will be in force in Britain. 


CANADA 


In April 1971 the Departments of Communications and Justice 
jointly established a Task Force on Privacy and Computers, growing 
out of earlier work in the Department of Communications on issues 


* Ibid., pp. 183-184. 


‘©The British Computer Society, Privacy and the Computer—Steps to Practicality 
(London: The Society), 1972. 
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concerning the use of computers in communications. The Task 
Force was given broad terms of reference to consider the rights and 
values of the individual that cluster about the notion of privacy, 
and to examine present and foreseeable effects on those rights and 
values of computerized information systems containing personal 
data about identifiable individuals. 

The Task Force began by carrying out a thorough survey of the 
status of personal data files in Canada and of the attitudes of 
Canadians about those files and their uses. It found that there was 
much more interchange of data among systems than the public 
realizes, that there are more inaccuracies in the files than generally 
realized, but that few individuals had actually experienced any 
intrusion on their personal privacy through either use or misuse of 
computers. 

In its report, published in late 1972,'! the Canadian Task Force 


- concluded that computer invasion of privacy is still far short of 


posing a social crisis. However, the rapidly rising volume of 
computerized personal data and the equally rapidly rising public 
expectation of a right to deeper and more secure privacy threaten 
to converge at the crisis level. To forestall that crisis, the Task Force 
recommends that a commissioner or ombudsman be established in a 
suitable administrative setting, that carefully prepared test cases on 
cogent issues be brought before the courts, and that the operation 


| of government data systems be made to serve as a national model. 


1! Privacy and Computers, A report of a Task Force established jointly by Department 


, - of Communications/Department of Justice (Ottawa: Information Canada), 1972. 
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Appendix C 


Confidentiality and the Census, 1790-1929 


ROBERT C. DAVIS* 


The census of population envisaged by Article I, Sec. 2 of the 
Constitution involved only a decennial enumeration of the inhabi- 
tants of each state, distinguishing free from slave, and excluding 


untaxed Indians. Yet from the beginning the census encompassed || 


more than this minimal enumeration, and as the scope of census 
inquiries expanded, the confidentiality of personal data supplied for 
statistical purposes became an increasingly urgent issue. Gradually 
administrative and legal safeguards were instituted to insure cor- 
fidentiality until, in 1919, it became a felony to misuse data sup- 
plied to the census by individuals. A complete study of the evolu- 
tion of government policy with respect to the confidentiality of 
census data would necessarily involve a full-scale history of the 
census itself. This brief overview can at best sketch the development 
of that policy and indicate the major factors that appear to have 
shaped it. 

The history of census policy on confidentiality may be conve- 
niently divided into four broad periods. During the first six censuses 
(1790-1840), the confidentiality issue arose with respect to eco- 
nomic data. From 1850 to 1870 administrative directives extended 
the principal of confidentiality to all census data; with the Census 


*This paper was prepared for the Secretary’s Advisory Committee on Automated Per- 
sonal Data Systems. It is based in part on research supported by a grant from the 
American Philosophical Society whose aid is gratefully acknowledged. Professor Davis is 
with the Department of Sociology, Case Western Reserve University. 
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of 1880 it became a misdemeanor to disclose information collected 
, in the census. Thereafter, the creation of a permanent Bureau of the 


t Census (in 1902) set in motion events that led to the Census Act of 
F March 3, 1919, which made the unauthorized disclosure of personal 
F data collected in the census a felony.' 


} Beyond Bare Enumeration, 1790-1840 


James Madison played the major role in expounding the philo- 


; sophy of the first census and in establishing its procedures. Madison 


spoke for many of the leaders of his time when he expressed his 
desire to gather this “most useful information” for Congress. The 
census, he argued, should be “extended so as to embrace some 


; Other objects besides the bare enumeration of the inhabitants; it 


' would enable them to adapt the public measures to the particular 
circumstances of the community.” Echoing The Federalist Papers, 
he wished to know accurately the “several classes” of the nation so 
that Congress could ‘‘make proper provision for the agricultural, 
commercial, and manufacturing interests... in due proportion.””? 

Madison embodied his vision of the census as the vehicle for 
socio-economic research in a bill that divided the population into 
four categories: free white males, free white females, free blacks, 
and slaves. The free whites were to be differentiated by age— 
younger than 16, 16 or older—and Madison also wished to classify 
the population, where appropriate, under thirty occupational and 


f industrial headings.® 


1On the growth of the census, see: Carroll D. Wright and William C. Hunt, The History 
and Growth of the United States Census, Senate Document No. 194, 56th Congress, Ist 
Session, 1900, Serial 3856, and W. Stull Holt, The Bureau of the Census: Its History, 
Activities and Organization (Washington, D. C.: The Brookings Institution), 1929. See also 


q Hyman Alterman, Counting People: The Census in History (New York: Harcourt, Brace & 
B World), 1969, and Ann Herbert Scott, Census, U.S.A.: Fact Finding for the American 


- People, 1790-1970 (New York: Seabury Press), 1968. 
2 Annals of Congress, 1, p. 1077. 

8The schedule is reproduced in Dorothy Whitson, “1970, Year of the Nineteenth 
Decennial Census,” Daughters of the American Revolution Magazine, Vol. CIV (1970), p. 
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The Senate deleted the proposal on occupations, much to 
Madison’s disgust, but the crucial point is that the first act pushed . 
beyond the simple constitutional provision, thereby establishing a , 


precedent for the enormous expansion of the census in the follow- 


ing century.* Madison’s argument for converting the census into a , 
vehicle for statistical inquiry became the standard rationale echoed , 
in future Congresses. In spite of occasional objections to the im- | 


plied powers interpretation of Article I, Sec. 2, a Federal court was 
not asked to rule on the constitutionality of the expanded census 
until 1901. Its decision reaffirmed the necessity and right of govern- 
ment to gather statistics to guide public policy. 


Madison’s statistical ideology may have looked toward the needs 


of an expanding nation, but his administrative conceptions with 


regard to the census were bound to his own time. The census bill of | 


1790 was based on the assumption that each enumeration was to be 
an ad hoc operation, carried out at minimal cost, and utilizing 
existing functionaries of government as far as possible. The bill 
divided the labor between the Congress, which determined the con- 
tent of the census schedules, and the federal marshals, who ap- 
pointed assistant marshals to do the enumeration. The thoroughness 
of the enumeration was to be checked by the marshals, the district 


courts, and the public before aggregate figures were transmitted to q 


the national capital for compilation and publication. This system, 
with minor modifications, was used in the first six censuses. 

Concern for accuracy is evident in the rules for enumerators. 
Bound by oath and threatened with fines, the assistant marshal had 
to file copies of his census schedules with the clerk of the district 
court who would make them available for inspection by the grand 
jury. Furthermore, the enumerator was bound to 


cause a Correct copy, signed by himself, of the schedule, 
containing the number of inhabitants, within his division, to 
be set up at two of the most public places within the same, 
there to remain for the inspection of all concerned... . . i 


se 
“Wright and Hunt, op. cit., p. 87. 
5 U.S. v. Moriarity, 106 Fed. 886 (C.C.S.D.N.Y. 1901). 
° Wright and Hunt, op. cit., pp. 926-927. 
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Both these requirements involved disclosure, but apparently the 


, confidentiality issue was not raised. Given the few facts contained 
F in the schedule, all of which were common knowledge locally, it is 
probable that most citizens did not perceive the public posting of 


census results as an invasion of privacy. 
The practices established in the first census may have seemed 
sensible and frugal, but built into the procedures were a number of 


problems. Because data collection was decentralized, the Secretary 
' of State had little control over the quality of the aggregate figures 


submitted by the marshals. The public posting of census schedules 
sacrificed confidentiality in the hope of attaining accuracy, a dubi- 


' ous proposition in the long run. And, in the absence of a permanent 


census bureau, expertise in the collation, analysis, and presentation 
of census data could not accumulate at the federal level. 

The Census of 1790, published by Thomas Jefferson in the au- 
tumn of 1791, revealed a population of 3,929,214. At about the 
same time, Jefferson wrote to a friend that, “Making a very small 
allowance for omissions, which we know to have been very great, 
we are certainly above four millions, probably about four million 
one hundred thousand.”’ Assuming that his estimate of the under- 
count was reasonable, one can only speculate about the causes of 
the difficulty. 

Clearly the problems of communication and travel, especially in 
the frontier areas, must have been a contributing factor. Then, too, 


P the lack of detailed instructions to the marshals must be considered. 
- When asked to initiate the field work phase of the first enumera- 


tion, Tobias Lear, Washington’s private secretary, apparently sent 
out copies of the census law, nothing more.* The suspicion that 
census data would be used in levying future taxes may also have 
played a role in the reluctance of some citizens to cooperate. 


TAndrew A. Lipscomb (Ed.), The Writings of Thomas Jefferson, Vol. VIII (Washing- 


F ton, D. C.: The Thomas Jefferson Memorial Association), 1905, p. 236. 


*Tobias Lear, Circular to Marshals, March 5, 1790, in Papers of George Washington, 


E Microfilm Edition, Series 2. 
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To the statistics-minded generation of the Founding Fathers,’ 
the skimpy data of the first census must have been disappointing. 


Jefferson’s dissatisfaction is evident in the memorial regarding plans | 
for the Census of 1800, which he sent to Congress as President of | 


the American Philosophical Society. It called for ‘a more detailed 


view of the inhabitants,” and suggested the inclusion of refined age 


groupings 
from whence may be calculated the ordinary duration of 
life in these States, the chances of life for each epoch 
thereof, and the ratio of the increase of their population; 
firmly believing that the result will be sensibly different 
from what is presented in the tables of other coun- 
tries . 1 


The memorial suggested the age intervals that might be used, and 
urged that data be collected on nativity and occupation. The Ameri- 


can Philosophical Society and the Connecticut Academy of Arts } 
and Sciences joined forces in the advocacy of census reform, but : 
the legislation for the approaching census showed scant evidence of 


their influence. 


The only significant change in the schedule for 1800 was the 3 
refinement of age categories for the free white population, in- 


cluding females (for whom no age data were collected in 1790). The 


census was placed formally under the authority of the Secretary of 3 


State, but otherwise no major procedural alterations were made. 


Fortunately, the incumbent Secretary of State, Timothy Pickering, ; 


° Washington requested personal copies of the census returns, a move quite in keeping 
with his interest in the statistical study of Scotland by Sir John Sinclair. [Washington to 
Sinclair, March 15, 1793, in The Correspondence of the Right Honorable Sir John Sinclair, 
Bart., Vol. HW (London: H. Colburn and R. Bentley), 1831, pp. 16-17. See also Franklin 
Knight (Ed.), Letters on Agriculture from His Excellency George Washington. . . .(Wash- 
ington, D. C.: Franklin Knight), 1847.] Alexander Hamilton’s interest in sound statistical 
data is shown in his research for his report on manufacturing. [Arthur H. Cole (Ed.), 
Industrial and Commercial Correspondence of Alexander Hamilton Anticipating His Re- 
port on Manufacturing (Chicago: A. W. Shaw Company), 1928.] Madison’s own feelings 
come through in his lament to Jefferson about the truncated census bill: “It contained a 
schedule ascertaining the component classes of the Society, a kind of information ex- 
tremely requisite to the Legistator, and much wanted for the science of Political Econ- 
omy.” {Letters and Other Writings of James Madison, Vol. | (Philadelphia, Pa.: L. B. 
Lippincott & Co.), 1865, p. 507.] 

1° Wright and Hunt, op. cit., p. 19. 
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was concerned about the quality of the census and drafted a set of 
detailed instructions to guide the marshals. He clarified the wording 
of the Census Act by defining terms, and he restated the categories 
of the census in the form of questions to be asked the head of each 
household. He also outlined procedures for recording, copying, 
posting, and aggregating the returns. On the requirement that the 


‘ schedules be posted, Pickering wrote: 


These copies will distinguish .. . the several families, by the 
names of their master, mistress, steward, overseer, Or other 
principal person therein. The design of the copies thus set 
up, appears to be that if any of the inhabitants discover 
errors in the enumerations, they may be made known to the 
assistant; and the naming of the heads of families will render 
the detection of errors practicable."* 


Whether the instructions helped produce a better census is not 


clear, but it seems likely that it did not. The compilation of the 
F census was placed in the hands of a State Department clerk, Jacob 
| Wagner, and when the report appeared in 1801 its scanty data 
allowed little more than Jefferson’s observation that “the increase 


of numbers during the last ten years, proceeding in a geometrical 


| ratio, promises a duplication in a little more than twenty-two 


912 
The third census of population merely repeated the procedures 


of 1800. John B. Colvin, a clerk in the State Department, issued 
+ copies of the Pickering instructions and compiled the aggregate sta- 
F tistics as they came in. However, the desire for economic data, 
F voiced earlier by Madison and Jefferson, found an able advocate in 
} the Secretary of the Treasury, Albert Gallatin. Called upon to re- 
F port on the state of American manufactures, Gallatin reported to 
g Congress the insufficient nature of such statistics and added, ‘‘Per- 


mit me to observe that the approaching census might afford the 


opportunity to obtain detailed and correct information on that 
subject .... 23 Congress immediately authorized the collection of 


11 Timothy Pickering, Circular to Marshals, April 30, 1800, in Pickering Papers, 


‘ Massachusetts Historical Society. 


13 Lipscomb, op. cit., HI, p. 330. 
13 National Intelligencer, April 20, 1810. 
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data on manufacturing establishments and their products, Gallatin 
drafted instructions for the enumerators in terms of broad objec- ' 


tives, noting that 


No particular form can be prescribed, and to the request 
that each assistant should give in his own way the best 
account which, as he proceeds to take the census, he may be 
able to collect, I can add but very general instructions.'* 


The first attempt to collect economic data ended in frustration, $ 
due to the vagueness of the instructions, the carelessness of the ° 
enumerators, and the resistance of respondents. Samuel Latham 1 
Mitchill, a prominent scientist in Congress, and Tench Coxe, who 4 
had helped gather Hamilton’s manufacturing data, successively % 
worked over the material. Coxe pointed out the “numerous and 4 


very considerable imperfections and omissions” and Mitchill urged 


that “fan exact schedule of all the subjects of inquiry ought to be } 
formed” before the next census attempted to gather such sta , 


tistics.45 


In this first attempt to graft a complicated survey on a relatively ; 


simple population schedule the weakness of the early census system 


was bared, and the issue of confidentiality was raised for the first ' 
time. Clearly, information about business was considered a private $ 
matter by some, and it was, therefore, an issue that had to be dealt 


with when the fourth enumeration was planned.’ ® 


When Secretary of State John Quincy Adams confronted the % 


problem of the Census of 1820, he set about drafting new and 


careful instructions. Congress had modified the census law to gather q 


details of sex and age in the free black and slave population, but 


stipulated different age categories than those for free whites. Asa ‘ 
corollary to gathering immigration data at ports of entry, the “ 


1 4 National Intelligencer, July 2, 1810. 


15 Samuel L. Mitchili, “Views of the Manufactures in the United States,” American 
Medical and Philosophical Register, Vol. Il (1811-1812), p. 408; and Wright and Hunt, op. ' 


cit., p. 23. 


*6On the problems of economic statistics, see Meyer H. Fishbein, “Early Business 4 
Statistical Operations of the Federal Government,” National Archives Accessions, No. 54, q 
June 1958, pp. 1-29, and “The Censuses of Manufactures, 1810-1890,” National Archives 4 


Accessions, No. 57, June 1963, pp. 1-20. 
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number of foreigners not naturalized was to be ascertained, and 
' Congress called for another attempt at gathering economic sta- 
tistics. The population (including slaves) was to be classified as 
engaged in agriculture, commerce, or manufacturing. A supple- 
mentary act called for an enumeration of manufacturing establish- 
ments, giving details of products, their market value, and the raw 
materials utilized; the kind of machinery; the amount of capital 
F invested; contingent expenses; wages and composition of the labor 
: force. Altogether the enumeration of manufacturing establishments 
' comprised fourteen inquiries.*? 


Resistance to such detailed investigations was acknowledged by 


treating the economic inquiry as voluntary and separate from the 
f population schedule. Adams wrote: 


as the act lays no positive injunction upon any individual to 
furnish information upon the situation of his property, or 
his private concerns, the answers to all inquiries of that 
character must be altogether voluntary... . It is to be ex- 
pected that some individuals will feel reluctant to give all 
the information desired in relation to manufacture .... ** 


Recognition of the difficulty of obtaining “private” information 


- of an economic nature was a beginning step toward recognition of 
. the principle of confidentiality, but no such concept was applied to 
t the population schedules. They were still posted “for the detection 
of errors which may have happened in the names of the heads of 
families and the numbers of persons to be returned ... . 


19 


The economic data obtained by the voluntary procedure were 


disappointing, and objections to the economic investigation prob- 


ably influenced the decision of Congress to omit such a schedule in - 


F 1830. The Census of 1830, however, did produce a significant 
| precedent in another sector. For the first time data were collected 


on the blind and the deaf, a reflection of the humanitarian concern 


for the handicapped which was rising in America. Hesitantly, the 


17 Wright and Hunt, op. cit., pp. 26-27. 
‘8 fbid., p. 136. 
19 Thid. 
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census moved toward attention to social problems that were con- 3 : 
sidered outside the legislative scope of the Congress, but about ¥ 


which public policy was being shaped at the State level.?° 


Insofar as centralization of records touches on the issue of con- & 


fidentiality, the legislation for the 1830 census provides still 
another landmark. Congress provided for transmission to the Secre- 


tary of State of a copy of the schedules as well as an aggregate ; 
summary. Furthermore, the schedules of the first four censuses, ; 


preserved in the records of the district courts, were also to be sent 


to Washington. it appears that the impetus for this legislation was j 


the desire to preserve the history of the nation, but it also indicated 
an urge for better statistical work by the Federal government, for 
Congress made provision for the returns of the earlier censuses to be 


organized and published with the results of the fifth enumeration. @ 
That products of this effort were “absolutely valueless,” as a later | 
census director put it, should not distract attention from the spirit 


of the legislation.?! 


A methodological advance was also recorded in the 1830 Census. & 
Uniform printed forms were used for the first time in the enumera- | 
tion, although this innovation, unfortunately, was not coupled with | 
improvements in other fieldwork procedures. Poor fieldwork and 3 


clerical ineptitude were accompanied by the reluctance of the citi- 


zenry to answer the census inquiries. Even though economic ques- # 
tions were omitted, some citizens believed “that the enumeration is 3 


made with a view to the assessment of taxes, enrollment in the 
militia, or the collection of militia fines... .’? 


The appetite of Congress for more and better statistics grew | 


during the decade between the fifth and sixth censuses. A Congres- 


sional resolution calling for data on population growth and militia | 
strength led the Department of State into an early demographic 4 
analysis to which was added a study of taxation. The debate on the 3 
tariff drew the Treasury Department into a survey of manufacturers $ 
that was more elaborate than any prior census effort. Interest also 


2°Harry Best, Deafness and the Deaf in the United States (New York: The Macmillan J 


Company), 1943. 
74 Wright and Hunt, op. cit., pp. 28-32. Francis A. Walker’s evaluation is on page 30. 
23 Hazard’s Pennsylvania Register, Vol. V (1830), p. 352. 


Confidentiality and the Census, 1790-1929 187 


| flared briefly in a suggestion that an official statistician be ap- 


pointed to make regular compilations of statistical materials useful 
to government, but in the end Congress fell back on the old pattern 
of depending on the census to carry the full burden.?? . 
President Martin Van Buren, responding in part to the wide- 
spread surge of statistical interest during his administration, became 
an advocate of a substantially enlarged Census of 1840; and 


Congress agreed. It acted not only to classify individuals by their 


economic pursuits, but to obtain 


all such information in relation to mines, agriculture, com- 
merce, manufactures, and schools, as will exhibit a full view 
of the pursuits, industry, education and resources of the 


country....?4 ; 


Drafting the schedules was left to the Secretary of State. Accord- 
ingly, a detailed economic schedule was drawn up that probed into 
capital investments, forms of ownership, and output of products. 
The question of confidentiality was raised by these new inquiries 
and the instructions to the enumerators took account of it: 


Objections, it has been suggested, may possibly arise on 
the part of some persons to give the statistical information 
required by the act, upon the ground of disinclination to 
expose their private affairs. Such, however, is not the intent 
nor can be the effect, of answering ingenuously the inter- 
rogatories. On statistical tables no name is inserted—the 
figures stand opposite no man’s name; and therefore the 
objection can not apply. It is, moreover, inculcated upon 
the assistant that he consider all communications made to 
him in the performance of this duty, relative to the business 
of the people, as strictly confidential.?* 


23«gtatistical View of the Population of the United States from 1790 to 1830, Inclu- 
Statistical View of the Popu’ sion, 1835, Serial 252 


* House Document No. 
reidel, Francis 


sive,” Senate Executive Document No, 505, 23d Congress, 2d Ses 
“Documents Relating to the Manufactures in the United States, 
308, 22d Congress, Ist Session, 1833, Serials 222 and 223; and Frank F 


Lieber: Nineteenth-Century Liberal (Baton Rouge: Louisiana State University Press), 1947, 


pp. 172-174. 
24 Wright and Hunt, op. cif., p. 36. 
25 Tbid., p. 145. 
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Although the economic questions were thought to merit protection, 


the population schedule was not. The act for the Census of 1840 
retained the requirement that the results of the population count be 
posted in order to ascertain errors. ® 

The detailed economic inquiries were not received with equanim- 
ity by the populace, especially in rural regions. Several counties in 
Virginia, Georgia, Alabama, and Louisiana refused to answer them 
as there was no penalty attached to noncompliance. Andrew 
Jackson was convinced that “‘the foolish questions” lost the Demo- 


crats Tennessee in the presidential election. The question in many % 
minds, not confined to one region by any means, was voiced by a ' 
leading southern journal: “‘Is this federal prying into the domestic } 


economy of the people a precursor to direct taxes?””?’” 


The defective statistics supplied by careless enumerators and eva- } 


sive citizens could not be adequately detected, much less fully cor 
rected, by the census system. William A. Weaver, who supervised 
the State Department clerks checking the census returns, stated that 


upwards of 20,000 errors were discovered in the returns from q 


Massachusetts alone. The discovery of further errors in the printed 
reports led to a national discussion of census shortcomings.?® 


Among the many voices raised, the most significant was that of the { 


American Statistical Association. Founded in 1839, the new organi- 


zation was an active critic of the official statistics on Negro in- 
sanity, data already being cited in the national controversy over 3 


slavery. As the result of its futile struggle to get corrections made in 


the Census of 1840, the Association became committed to the fight j 


for a better census in 1850.79 


26 Ibid., p. 929. 

27 Andrew Jackson to Martin Van Buren, November 24, 1840, Papers of Martin Van 
Buren, Microfilm Edition; and James D. B. DeBow, Statistical View of the United 
States.. .Being a Compendium of the Seventh Census ‘Washington, D.C.: Beverley 
Tucker), 1854, p. 12. 

28 Proceedings of the New York Historical Society for the Year 1848 (New York: The 
Society), 1848. p. 45. 

?% Albert Deutsch, “The First U.S. Census of the Insane (1840) and Its Use as Pro- 
Slavery Propaganda,” Bulletin of the History of Medicine, Vol. XV (1944), pp. 469-482; 
Leon F. Litwack, North of Slavery: The Negro in the Free States, 1790-1860 (Chicago: 
University of Chicago Press), 1961, pp. 40-46; and William Stanton, The Leopard’s 


Spots: Scientific Attitudes Toward Race in America, 1815-59 (Chicago, Ill.: University of g 


Chicago Press), 1960, pp. 58-66. 


Confidentiality and the Census, 1790-1929 189 


The American Statistical Association was not the only source of 
statistical enthusiasm. In varying degrees, reform groups, business 
associations, medical societies and agricultural organizations ex- 
pressed the need for statistics related to their specific interests. At 
the State and local level, statistical activities ranged from sanitary 
surveys to registration of vital statistics to statewide censuses of 
agriculture and manufacturing. A small cadre of statisticians began 
to grow out of this experience, but there was no central statistical 
bureau created in Washington to attract them to the Federal service. 
Unlike the situation in most European countries, statistics in the 
United States remained decentralized and uncoordinated.*® 


Census Development, 1840-1880 


Among all the interest groups concerning themselves with sta- 
tistics there was general agreement that the Census of 1840 had 
been, as John Gorham Palfrey called it, ‘“‘a mortifying failure,’’>! 
and there was widespread agreement in Congress that the approach- 
ing Census of 1850 should be conducted in a better manner. 

The statisticians of New York and Boston led the fight for census 
reform. In 1848 memorials from the New York Historical Society 
and the American Statistical Association, drafted by Archibald 
Russell and Lemuel Shattuck respectively, launched the effort. The 
burden of their advice was to start planning early and to utilize 
statistical experts. After much maneuvering in Congress, a bill was 
passed creating a Census Board to plan the schedules for the seventh 
enumeration. The Secretary of State, the Attorney General, and the 
Postmaster General constituted the Board. Rather than appoint a 


3°See Robert C. Davis, “The Beginnings of American Social Research,” in George H. 
Daniels (Ed.), Nineteenth-Century American Science: A Reappraisal (Evanston, Il.: 
Northwestern University Press), 1972, pp. 152-178; Paul J. Fitz Patrick, “Statistical 
Societies in the United States in the Nineteenth Century,” American Statistician, Vol. XI 
(@ecember, 1957), pp. 13-21; John Koren (Ed.), The History of Statistics (New York: The 
Macmillan Company), 1918; Franklin H. Top (Ed.), The History of American Epidemi- 
ology (St. Louis: C. V. Mosby), 1952; and Luther L. Bernard and Jesse Bernard, Origins of 
American Sociology: The Social Science Movement in the United States (New York: 
Thomas Y. Crowell Company), 1943. 

31 Congressional Globe, 30th Congress, 2d Session, Vol. 18, p. 638. 
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statistician to commence the work, they chose instead Joseph C. G. 
Kennedy of Pennsylvania, whose political credentials as a fervent 
Whig were impeccable. Kennedy, a lawyer and journalist, soon 
needed expert advice, so Russell and Shattuck were called to 
Washington to be his statistical consultants. In spite of a com- 
plicated wrangle involving Kennedy, the Board, and the Senate cen- 
sus committee, a census bill emerged in May 1850. It was primarily 
the product of the advice of Russell and Shattuck, but Kennedy 
won a victory too. He was appointed to superintend the seventh 
census.3? 

The new census schedules opened avenues of inquiry that thrust 
the issue of confidentiality to the fore. The schedule for the free 
population would list every inhabitant by name, giving, in addition, 
sex, age, color, nativity, place of birth, marital status, literacy, real 
estate ownership, and information as to whether the individual was 
deaf, dumb, blind, insane, idiotic, or a pauper or convict. The slave 
schedule was less inclusive, but more detailed than ever before. A 
mortality schedule listed by name all who had died in the preceding 
year, with personal and medical details included. The agricultural 
schedule covered a wide range of data on the operations of each 
farmer and planter; the manufacturing schedule asked for economic 
details on every establishment producing over $500 annually; and 
the schedule on social statistics asked the enumerator to gather data 
on various local institutions,?* 

Given the increased scope of the inquiry, the issue of confiden- 
tiality had to be faced. For the first time, the census bill did not 
require public posting of the population schedules, but it also made 
no provision for penalties for misuse of personal data. Kennedy’s 
instructions on the point, however, were very clear. 


Information has been received at this office that in some 
cases unnecessary exposure has been made by the assistant 
marshals with reference to the business and pursuits, and 
other facts relating to individuals, merely to gratify curi- 
osity, or the facts applied to the private use or pecuniary 


°4 Davis, op. cit., pp. 163-166, and Wright and Hunt, op. cit., pp. 39-50. 
°$Wright and Hunt, op. cit., pp. 150-153, 227-228, 234-236, 312-314, and 646-649. 
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advantage of the assistant, to the injury of others. Such a 
use of the returns was neither contemplated by the act itself 
nor justified by the intentions and designs of those who 
enacted the law. No individual employed under sanction of 
the Government to obtain these facts has a right to promul- 
gate or expose them without authority.>? 


The precise nature of the abuse of confidentiality referred to 
does not survive in the existing records. Although Kennedy’s corre- 
spondence contains many requests for information, replies were 
limited to aggregate data. There is only one recorded case that 
might be counted as a partial exception to the rule of absolute 
confidentiality. A man seeking his lost brother was informed that a 
man of a similar name was living in Texas.** In another reply to a 
request for access to census schedules Kennedy wrote, “I have no 
objection to your taking from the office such returns as may be 
necessary to the purpose you name... .’°° However, it is not pos- 
sible to ascertain the nature of “the purpose” or the specific returns © 
referred to. 

When the census duties were taken over by James D. B. De Bow 
in 1853, the same rules of confidentiality were applied. The chief 
clerk of the census, in denying a request for names and personal 
details from the 1850 enumeration, observed that “the question is, 
whether it is well, in order to oblige or benefit an individual, to risk 
any increase of obstacles under which the Government labors in 
procuring such information ... .”? 7 De Bow felt, however, that the 
resistance encountered in 1840 to the economic questions had di- 
minished. “Such objections were rarely raised in 1850,” he wrote, 
“and in but two or three cases was it necessary to call in the services 
of the district attorney to enforce the requisitions of the law.”’?* 

The census act of 1850 governed the Census of 1860 and 
Kennedy once again was appointed superintendent. The eighth enu- 


°4 Ibid., p. 150. 

353_C.G. Kennedy to S.C. Miller, November 29, 1851, National Archives, Record 
Group 29, Census, Item 11 (Letterbook). 

36 JC. G. Kennedy to William D. Cooke, September 26, 1851, loc. cit. 

377, H. Baird to George C. Whiting, May 22, 1855, National Archives, Record Group 
48, Department of the Interior, Office of the Secretary, Patents and Miscellaneous Divi- 
sion, File 183. See also Baird to Whiting, March 23, 1855, loc. cit. 

38De Bow, op. cit., p: 12. 
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meration had all the strengths and weaknesses of the seventh, as the 


schedules and procedures were fixed by law. The Civil War also put_ : 


unique demands on the census: the President needed data on the 
probable cost of compensated emancipation; the War Department 
wanted quotas of draftees calculated; General Sherman needed 
maps showing food and forage for his March to the Sea.3° 

It is possible that confidentiality was breached under the stress of 
war, but in general the work of the Census Office proceeded very 


much as before. The volumes on population and agriculture ap- 


peared in 1864, and the reports on manufacturing and mortality 
were in hand by 1865. In that year, however, Kennedy was 
abruptly removed from office, demonstrating once again the vulner- 
ability of a temporary census office to the shifting fortunes of 
politics.*° 

As the 1870 enumeration approached, it seemed evident to many 
statisticians that the census law of 1850 needed to be replaced with 
more satisfactory legislation. In Congress, the reform movement 
was led by James A. Garfield. After much consultation, Garfield 


drafted a new census act in which he sought to improve the occu- 4 


pational and industrial classification, to create a board to supervise 
the census, to shorten the census period, to improve methods of 
selecting census personnel, and generally to expand the number of 
inquiries. One suggestion had political implications. Garfield 
wanted to take the appointment of census enumerators out of the 
_ hands of the Federal marshals. In suggesting replacing the marshals’ 
districts with Congressional districts as the basis for appointment of 


°°Typed copy of clipping, New York Tribune, undated, enclosed in Annie E.K. 4 
Bidwell to Walter F. Willcox, June 30, 1917, in Walter F. Willcox Papers, Library of ; 


Congress, See also General William T. Sherman, Memoirs, Vol. I (New York: D. Appleton 
and Company), 1875, p. 31; David C. Mearns (Ed.), The Lincoln Papers, Vol. Il (Garden 


’ City, L. 1: Doubleday), 1948, pp. 587-589; and Roy P. Basler (Ed.), The Collected Works % 
of Abraham Lincoln, Vol. V (New Brunswick: Rutgers University Press), 1933, pp. 4 


160-161, 

4° James Harlan to J. C. G. Kennedy, June 2, 1865; Kennedy to Harlan, June 3 and 8, 
1865; Kennedy to Andrew Johnson, June 17 and 19, 1865, in Andrew Johnson Papers, 
Microfiim Edition. 
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enumerators, Garfield was, in effect, handing the Senate’s patronage 
to the House—a move that defeated the bill when it arrived in the 
Senate.*? 

If Garfield failed to reform the census, he succeeded in nomi- 
nating its new superintendent, Francis Amasa Walker. Walker was 
confirmed, but he had to work within the confines of the census act 
of 1850 which had been modified only slightly to reflect the abolli- 
tion of slavery and to eliminate some of the ambiguities in the 1850 
and 1860 enumerations.*? Nonetheless, in his instructions to enu- 
merators, Walker made clear his position on confidentiality : 


No graver offense can be committed by assistant marshals 
than to divulge information acquired in the discharge of 
their duty. All disclosures should be treated as strictly con- 
fidential, with the exception hereafter to be noted in the 
case of the mortality schedule. Information will be solicited 
of any breach of confidence on the part of the assistant 
marshals. The department is determined to protect the citi- 
zen in all his rights in the present census.* * 


The exception noted permitted the assistant marshals to submit 
mortality schedules to “some physician who will be willing, out of 
public spirit and professional interest, to glance over the entire list 
of diseases and correct a defective classification” of the cause of 
death of individuals so listed.** 

In spite of Walker’s preparations, the Census of 1870 suffered 
from an undercount of unprecedented proportions in the South. 
Given the limits imposed by the act of 1850, very little could be 
done from Washington to prevent the fiasco. The politics of Recon- 
struction dictated that marshals in the South, often non-residents of 


41Mary L. Hinsdale (Ed.), Garfield-Hinsdale Letters (Ann Arbor: University of 
Michigan Press), 1949, pp. 146-147; Congressional Globe, 41st Congress, 2d Session, Vol. 
42, Part 2, p. 1147; James P. Munroe, A Life of Francis Amasa Walker (New York: Henry 
Holt and Company), 1923, p. 109; Theodore Clarke Smith, The Life and Letters of James 
Abram Garfield, Vol. Il (New Haven: Yale University Press), 1925, pp. 794-795; and 
Francis Amasa Walker, “American Industry and the Census,” Atlantic Monthly, Vol. 
XXIV (1869), pp. 689-701; “The Census Imbroglio,” The Nation, February 24, 1870, p. 
116. 

‘2 Wright and Hunt, op. cit., pp. 54-56 

$3 Tbid,, p. 156. 
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epresenative Cox presented to the House not only an able history 
rand critique of census practices, but also a detailed exposition of 
the needed reforms.*” 

F~ The 1880 census act embodied many of the reforms suggested in 
"1870 and added a few new provisions. Federal marshals were re- 
placed by district supervisors as the chief local functionaries. Ap- 
pointed by the President, with the advice and consent of the 
Senate, the district supervisors were empowered to appoint enu- 
“merators, with the consent of the Superintendent of the census. 
FThe enumerators, moreover, were to be “selected solely with refer- 
rence to their fitness.”*® The topics to be enumerated were named 
F in the act, but the Superintendent was given authority to set up the 
schedules and make reasonable modifications within the broad 
F range of areas to be covered. The Superintendent was further em- 
powered to hire “experts and special agents” to handle specific 
areas requiring special knowledge.*? 

_ These reforms clearly broke with past census practices. On the 
f issue of confidentiality, the census-taker’s oath was a decisive 
Fchange as well. Each enumerator now had to swear not to disclose 
e “any information contained in the schedules, lists or statements 
F obtained by me to any person or persons, except to my superior 
Bofficers.”5° It was further stipulated that 


their districts, had to appoint loyal Republicans. The liberal use of 
census patronage to attract freedmen to the Party led to the ap- # 
pointment of illiterates as enumerators. Even when the enumerators | 
were capable people, they had to contend with white hostility and ' 
black fear. Sometimes the work was illegally subcontracted, and 3 
sometimes, as Henry Gannett reported, census data were gathered 4 
at “court sessions, musters, public meetings, etc.’ Walker initially | 
estimated the undercount of Southern blacks to be about 
350 to 400 thousand but he later conceded that it probably ran as 
high as 510,000.7 § 4 

In spite of the serious flaws in the enumeration of the South, the 4 
Census of 1870 was a marked improvement over all previous cen- 4 
suses. The reports: were more detailed, better annotated, and the © 
data were more clearly presented in tables and graphs. Due atten- 
tion was called to limitations of the data, and Walker included a % 
thorough historical and methodological discussion of census pro- 
cedures. In a sense, the 1870 report was a brief for census reform, 
‘and that issue was joined soon again in Congress. 


Census Reform, 1880-1900 


Although James A. Garfield was active in promoting reform of + 
the census, Representative Samuel S. Cox and Senator Justin 
Morrill led the fight in the Congress. Senator Morrill pointed out 
that the country had outgrown the census as conceived in 1850. 


an enumerator who shall disclose any statistics of property or 
business included in his return, shall be deemed guilty of a 
misdemeanor, and upon conviction shall forfeit a sum not ex- 


The statistical facts now required are not merely for the grati- ceeding five hundred dollars. . . .*? 


fication of the curiosity of students, but are for daily, prac- 
tical use in wide directions, and are to serve as the constant 
resource of legislators, both state and national.* ® 


E It is noteworthy that the penalty clause specifically mentions eco- 
e nomic data, again reflecting the sensitivity felt about collecting that 
E-type of information. Notable also are the instructions to enumer- 
Eators to check with attending physicians the cause of death of 


45 New York Times, March 8, 1891; Francis A. Walker, Discussions in Economics and @ 
Statistics, Vol. Il (New York: Henry Holt and Company), 1899, pp. 49-58; and Henry 4 
Gannett, “‘The Alleged Census Frauds in the South,” Jnternational Review, Vol. X (1881), 4 
pp. 459-467. The total undercount is estimated at about 1,260,000 in U. S. Bureau of the * 
Census, Historical Statistics of the United States, Colonial Times to 1957 (Washington, @ 
D.C.: U.S. Government Printing Office), 1960, p. 12. For the problem of underenumera- 3 
tion, see Advisory Committee on Problems of Census Enumeration, Carole W. Parsons 3 
(Ed.), America’s Uncounted People (Washington, D. C.: National Academy of Sciences- % 
National Research Council), 1972. 3 


*6 Congressional Record, 45th Congress, 3d Session, Vol. 8, Part 2, p. 1049. 


a ‘1 Ibid., pp. 1534-1544, and David Lindsey, “Sunset” Cox: Irrepressible Democrat 
Detroit, Mich.: Wayne State University Press), 1959, p. 190. 

. **Wright and Hunt, Ibid., pp. 155-166, 936-943. 

“9 Ibid., p. 65. 

5° Tbid., p. 937. 
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individuals listed in the mortality schedule,5? and the provision ina 4 
supplementary piece of legislation for correcting census returns by a 


method akin to the public posting procedure of earlier times. The 


enumerator was instructed to file with the county clerk a list of 


“names, with age, sex, and color, of all persons enumerated by 


him.”*? He was further instructed to advertise his availability for 
15 days at the courthouse for the purpose of making corrections in 4 
the enumeration of population, including taking evidence under 4 
oath of needed changes, and to make known to the bystanders, if 4 
any, the outcome “of such inquiry for correction and the whole § 
number of persons by him enumerated. .. .”54 This availability of 4 
the facts of age, sex, and color in a semi-public setting, of course, : 


ran counter to the growing emphasis on safeguarding the confiden- 
tiality of personal data collected by the census. 


Charles W. Seaton, who, like Walker, combined political and sta- 
tistical credentials, took over as Superintendent of the census in 4} 
1881. He guided the census through budget crises, fended off politi- 3 
cally motivated charges of fraudulent counts in the South,°* and 4 
promoted the use of mechanical aids in census work, particularly a | 


simple tallying device that had been in limited use since 1870. 


The sheer volume of data collected in 1880, especially in the area } 


of economic statistics and special studies, was impressive. Twenty- 


two quarto volumes totalling 19,305 pages (plus a compendium of 4 
1,898 pages) appeared between 1883 and 1888. Clearly, the outer 3 
limits of data management were reached in the 1880 enumeration 4 
and any further extension of the census would require a new system 


for data processing.*® 


Herman Hollerith, a young engineer who had worked as a special ¢ 
agent in the 1880 Census, became interested in the problem and, ‘ 
after some experimentation, invented the punched card system for ” 
recording and tabulating the census returns. Hollerith’s solution was * 
as ingenious as it was simple. Hand-tallying of raw data was replaced " 


53 Tbid., p. 231. 
58 Ibid. , p. 942. 
54 Ibid. , pp. 942-943, 


55 Gannett, op. cit.; Francis A. Walker, “The Eleventh Census of the United States,” 3 


Quarterly Journal of Economics, Vol, Ik (1887-1888), pp..135-161. 
56Wright and Hunt, op. cit., pp. 58-69. 
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by punching holes in cards whose columns corresponded to census 
data classifications. The cards, representing individuals or other 
units, were then counted electrically. Even in its earliest stage of 
development, the Hollerith system speeded tabulations to such an 
extent that its merits were demonstrable before the 1890 enumer- 
ation began.*7 


The advent of the new system had dual implications for the 
question of confidentiality. On the one hand, it removed the actual 
census return one step farther from the final statistical process. On 


the other hand, it made possible the collection of even more infor- 


mation on individuals. On balance, however, it is probable that the 
Hollerith system enhanced the anonymity, and thus the confiden- 
tiality, of census data, although technologically it was the forerun- 
ner of modern computer-based record keeping. 

The census act of 1890 followed closely the precedents set in 
1880. The provisions for insuring confidentialty were similar with 


respect to the enumerator’s oath and the penalties for unauthorized 


disclosure of personal data. However, the provision for depositing 
lists of individuals with the county courts was dropped. Instead, the 
Superintendent was authorized to disclose to “any municipal gov- 
ernment,” upon request, a list of names of its inhabitants, indi- 
cating “sex, age, birthplace, and color, or race.” The enumerators 
were also instructed to check with the attending physician for the 
cause of death of persons reported in the mortality schedule.** 

The census reform of 1880 did not include the establishment of a 
continuing census bureau and the arrangements for 1890 were 
equally impermanent. When Robert P. Porter was appointed Super- 
intendent, in 1889, he had to seek out former census employees, 
and rescue schedules and instructions from bureaucratic oblivion. 
The lack of continuity, the haste in organizing for the enumeration, 
and the: problems of patronage all made Porter’s position difficult. 
Porter’s own. appointment was determined more by politics than by 
statistical experience. A journalist-editor, he was a vigorous protec- 
tionist and served on the Tariff Commission of 1882, and had 


57 Leon F, Truesdell, The Development of Punch Card Tabulation in the Bureau of the 
Census, 1890-1940 (Washington, D,C.: U.S. Government Printing Office), 1965, pp. 
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worked on the 1880 Census; thus, his free-trade enemies kept up a 

barrage of criticism until his resignation in 1893.5° Congressional { 
critics complained of slowness in completing the tabulations, a 4 
charge that had arisen after each previous enumeration, and threat- 4 
ened to close the Census Office in 1893. However, a series of enact- } 
ments extended its life and placed it under the direction of Carroll | 


D. Wright, an able statistician, who was Commissioner of Labor. 


The status of the census as a bureaucratic orphan brought home to 


many the need for a permanent Census Bureau.*®° 


The Census Bureau, 1902-29 


The need for a continuing statistical organization was well-stated 


by De Bow in 1854: 


Each census has taken care of itself. Every ten years some one 
at Washington will enter the hall of a department, appoint 
fifty or a hundred persons under him, who, perhaps, have 
never compiled a table before. .. .If any are qualified it is no 
merit of the system... .In Washington, as soon as an office 
acquires familiarity with statistics. . .it is disbanded, and even 
the best qualified employee is suffered to depart.®! 


In the following decades, other voices raised the same complaint, @ 
but Congress did not really begin to act seriously in the matter until , 
the census crisis of the nineties. Then the approaching enumeration . 


of 1900 made it necessary to organize a census office before a 


permanent bureau could be created. Moreover, the organization of : 
the new office preserved an old duality in census operations, the } 
political and the statistical. The position of Director embodied the 7 


former, while the Assistant Director was to be “a practical, experi- 


enced statistician.” Political influence in census jobs was not elimi- , 


nated.®? 


59 Holt, op. cit., pp. 27-31, 

S° Wright and Hunt, op. cit., pp. 69-76. 
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The act of March 6, 1902 transformed the census unit into a 


permanent Office, headed by a Director under whom were four 


chief statisticians. Provision was made for fitting census personnel 


; into the classified civil service. The statistical duties of the office 
; were specified and the work was spread out across the intercensal 
- period. This is not to say that the new office settled into an un- 


eventful period of tranquility. On the contrary, the census was to 


; be involved in years of struggles to define its role, fend off political 
; influence, build its professional staff, and increase the scope of its 
s. activities.®? 


Just before the Census Office was established, a decision of the 


L Circuit Court of the Southern District of New York gave belated 


sanction to the extensive work of the census. The reasoning of 
District Judge Edward B. Thomas was clearly Madisonian: 


The functions vested in the national government authorize 
the obtainment of the information . . .[in order to enact] laws 
adapted to the needs of the vast and varied interests of the 
people, after acquiring detailed knowledge thereof. ...[The 
government has the right to] make the researches. . .[in order 
to meet] its ever-widening obligations. . .to the welfare of its 
citizens and to the world... .For the national government to 
know something, if not everything, beyond the fact that the 
population of each state reaches a certain limit, is apparent, 
when it is considered what is the dependence of this popula- 
tion upon the intelligent actions of the general government. 


E The court then cited the wide range of social and economic prob- 
» lems on which Congress must legislate, and concluded that 


for these or similar purposes the government needs each item 
of information demanded by the census act, and such informa- 
tion, when obtained, requires the most careful study, to the 
end that the fulfillment of the governmental function may be 
wise.°* 


53 Ibid., pp. 34-86 (for the period 1902-1930). 


54U S. v. Moriarity, 106 Fed. 886, 891, 892 (C.C.S.D.N.Y. 1901). See 14 Am Jur 2d, 


E. Census, for an excellent summary of the legal status of the census by Henry C. Lind. 
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The case did not touch on the confidentiality of personal data, j 
but confidentiality was the subject of Congressional action in the j 
decades that followed. The act for the 1900 Census declared unau- 
thorized disclosure of census data to be a misdemeanor punishable 3 
by a fine of up to $500.5 A decade later the punishment was | 
increased: upon conviction a fine not to exceed $1,000, or im- 
prisonment of up to 2 years, or both, could be imposed at the + 
discretion of the court.*® The Act of March 3, 1919, providing for 
the fourteenth census, declared such disclosure to be a felony and a 
fine not to exceed $1,000, or imprisonment of up to 2 years, or 
both, was again authorized.®’ 

When Congress enacted a comprehensive census law for the 1930 4 
and subsequent censuses, it retained the penalty provision of the 4 
1919 statute. The permanent act of June 18, 1929 also included a 3 
section that succinctly stated the safeguards for confidentiality in- § 
stituted in the Bureau of the Census. Section 11 provided 


That the information furnished under the provisions of this 
Act shall be used only for the statistical purposes for which it 
is supplied. No publication shall be made by the Census Office 
whereby the data furnished by any particular establishment or 
individual can be identified, nor shall the Director of the Cen- 
sus permit anyone other than the sworn employees of the 
Census Office to examine the individual reports. °* 


During the same period (1900-1929), regulations about access to 4 
census records were established. Governors, municipal officers, and -4 
courts of record could obtain information from the schedules under 7 
the provisions of the various census acts. Private individuals, for ! 
“genealogical or other proper purposes,” were allowed certain spe- 4 
cific information, provided the information could not be used to the | 
detriment of the person to whom it pertained. Free access to census 4 
data was limited to the records of the first nine enumerations.*®® 


®5 Act of March 3, 1899, ch. 419, sec. 21, 30 Stat. 1020. 
66 Act of March 3, 1909, ch. 2, sec. 22, 36 Stat. 8. 

57 Act of March 3, 1919, ch. 97, sec. 22, 40 Stat. 1299, 
®* Act of June 18, 1929, ch. 28, sec., 11, 46 Stat. 25. 
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Summary 


During the first century of census activity the expansion of sta- 
tistical inquiry raised the issue of confidentiality. The protection of 
personal data provided for statistical purposes was instituted admin- 
istratively, then by statute. Before 1850, population schedules were 
posted publicly in an effort to detect errors, but as early as 1820 
assurances of confidentiality were given for economic information. 
From 1850 to 1870, administrative rules extended confidentiality 
to all census data, but it was not until 1880 that unauthorized 
disclosure of information about individuals was declared to be a 
misdemeanor. The penalties for violating confidentiality were grad- 
ually strengthened until, in 1919, unauthorized disclosure was de- 
clared a felony. 

Although it is not possible to weigh the importance of the pro- 
tection of confidentiality in precise terms, it clearly seems to have 
been one factor that made it possible for the census to grow. Even 
given extensive support for the Madisonian viewpoint on the value 
of social statistics, the corollary guarantee of confidentiality has 
been needed. 

As late as 1929, Herbert Hoover, in his proclamation announcing 
the Census of 1930, felt called upon to reassure the populace: 


The sole purpose of the Census is to secure general statistical 
information regarding the population and resources of the 
country, and replies are required from individuals only to per- 
mit the compilation of such general statistics. No person can 
be harmed in any way by furnishing the information required. 
The Census has nothing to do with taxation, with military or 
jury service, with the compulsion of school attendance, with 
the regulation of immigration, or with the enforcement of any 
national, state, or local law or ordinance. There need be no 
fear that any disclosure will be made regarding any individual 
person or his affairs. For the due protection of the rights and 
interests of the persons furnishing information every employee 
of the Census Bureau is prohibited under heavy penalty from 
disclosing any information which may thus come to his 
knowledge.”° 


7046 Stat. 3012, Proclamation by Herbert Hoover, November 22, 1929, 
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The National Driver Register 


DANIEL H. LUFKIN* 


Scenario 


Within a few hours after the hearing was over John Doe was back 
behind the wheel, even though the judge had suspended his license 
for three years. With a little planning, there’s no reason fora smart 
fellow like Doe to be grounded for three years for reckless driving 
and a couple of speeding tickets, provided he takes a few simple 
precautions, right? As a salesman, Doe knew every county seat in 
the area where Colorado, Nebraska, and Wyoming join, and two 
days after the ticket that put him over the top in Colorado's point 
system, he had applied for and received driver’s licenses from both 
Nebraska and Wyoming. The licenses were still only temporary 


cards, but in a week or two the real ones would be in the mail, and 4 


everything would be all right again. Of course, he’d have to be 


careful not to attract attention to the fact that he had an a 
out-of-state license, but with two licenses to fall back on, Doe 
didn’t anticipate any trouble in continuing to drive until his three 4 


years were up and he could get a Colorado permit again. 


Before 1961, John Doe’s plan would probably have worked. 
There was nothing suspicious about his looks or actions. He had 4 
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; identified himself fully and on the application form he had 
P answered quite truthfully that his license had never been suspended 


in another State. After all, the hearing at which he knew the 


! suspension would take place was still weeks in the future when he 


took his precautions. Unless either Wyoming or Nebraska found 
something suspicious in his application, and went to considerable 


f trouble to check with Colorado, no one would ever discover that 


those states were innocently, but nonetheless effectively, nullifying 


. the judicial action of Colorado. 


Today, however, any sense of smugness that Doe might feel will 
evaporate rapidly. The National Driver Register (NDR) of the U.S. 
Department of Transportation will give the motor vehicle 
administrations of Nebraska and Wyoming the information they 
need to make the proper decision about granting a license to John 
Doe. The mechanics of the NDR operation deserve to be developed 


F in some detail, though needless to say, this description is by no 
j means exhaustive: there are many bad drivers even cleverer than 


Doe, and they should learn about NDR the hard way. For that 
reason, also, the names of States used here are purely for narrative 
convenience; administrative and legal details do not necessarily 


: refer to the States named. 


q The National Driver Register 


When Doe filed his application in Wyoming, his form was 


j processed just like all the other forms of the three hundred or so 


applicants that day. All were sent to the central office of the Motor 


; Vehicle Division, where a clerk transferred to magnetic computer 


tape the following information from each application form: name, 


| date of birth, place of birth, Social Security number, sex, height, 
weight, and color of eyes. Since Wyoming is one of the States that 
E use the Social Security number as the driver’s license number, Doe 
» had furnished his number on the application blank. Doe’s file 
s Occupied only an inch or so of tape, so Wyoming waited another 
q week until enough applications had accumulated to fill a small reel. 
4 The reel was boxed in a metal carrier to protect the tape from stray 
F magnetic fields that could destroy the intricate magnetic pattern of 
+ the record; then mailed to the National Driver Register at the 
s headquarters of the National Highway Traffic Safety Adminis 
; tration in Washington, D.C. 
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In Nebraska, a slight variation of the same process was taking 
place. There, Doe’s application was singled out early for special 
attention. Because the licensing system of Nebraska does not use a 
central computer file of all license holders, Nebraska does not rou- 
tinely prepare a magnetic tape of all applicants. Instead, each local 
license office prepares and issues the temporary license and merely 
sends a duplicate record of the transaction to State headquarters. 
At headquarters, the record is checked against Nebraska’s list of 
suspended drivers and, if the applicant is applying for his first li- 
cense at the minimum driving age, a permanent license is issued. If 
the applicant is over the minimum age, however, Nebraska takes an 
extra precaution; it types out and forwards to the NDR a Form 
HS-1047 “Request for Search of National Driver Register.” The 
information Nebraska sends about Doe is the same as the Wyoming 
list with one exception: Nebraska has its own system of license 
numbers, and does not report Doe’s Social Security number to the 
NDR. 

When the Wyoming tape reaches the NDR, it is copied onto a 
working tape along with all the other requests received that day. 
The Nebraska request for search requires one extra step. A contract 
data-processing service picks up all forms that are not submitted by 


the States in computer-readable tape or punched cards and prepares 3 


the data for the computer. This processing takes place in a facility 
which, like the facility at NDR itself, is protected against unautho- 
rized access to any of the information. 


When all the requests for a day’s computer run have been as- 3 


sembled on tape, that tape, along with a master list of all drivers in 


the U.S. whose licenses have been reported withdrawn, is fed to the 4 


computer of the Federal Highway Administration’s Computer Ser- 
vices Division. The two lists are matched, name for name, and all 
names common to both lists are printed out. The details of this 


process will be examined later, but for the moment, let us allow | 


Doe his short hour of victory. 


Doe’s applications have reached the NDR before Colorado’s re- a 


port of suspension, and no match against his name appears. 


Meanwhile, the case against Doe in Colorado has been going for- ‘ 
ward. His repeated offenses have earned him enough points fora 4 


three-year suspension and a heavy fine. They could also have earned 


him a jail sentence, but the judge noted that Doe was supporting a q 
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+ family and concluded that withdrawal of Doe’s driving privilege was 


punishment enough. The court’s bailiff collected Doe’s license, 
stamped it ‘“‘Not Valid for Driving,” and returned it to Doe so that 
he could still use it for identification when cashing checks. (Colo- 
rado even issues driver’s licenses to the blind because it has become 
practically impossible to cash a check without one.} Some drivers in 
Doe’s situation ruefully report to the bailiff that they seem to have 
mislaid their license. Although superficially attractive, this ploy is 
usually counterproductive, since it arouses powerful suspicion and 
guarantees special surveillance of the suspended driver. 


In the meantime Colorado is setting out to do its part in making 
Doe’s suspension truly effective. As soon as the court’s order be- 
comes valid, the Division of Motor Vehicles prepares an NDR Form 
HS-1057,‘‘Report to National Driver Register.” This report contains 
the same personal identification data that the search request form 
does and adds other information relating to the withdrawal of the 
license: the date of withdrawal, the date of eligibility for restora- 
tion, and a coded statement of the reason for withdrawal. The 
report is sent to Washington in the form of two punched cards, 
although other States may submit reports of withdrawal in the form 
of computer tape, typewritten forms, or sometimes only copies of 
the original court order suspending the license. 

Whatever the form of entry, a report of license withdrawal is 
soon converted to tape format and added to the roughly 3,500,000 
reports already in the master file of withdrawals that NDR main- 
tains on 24 reels of tape. Each query from the States is compared 
with this master file twice; the first time within 24 hours of the 
time the query reaches the NDR, the second, some weeks later. It is 
this delayed search that is designed to outsmart the John Does who 
apply for a new license before their old ones have actually been 
withdrawn. In Doe’s case, the day after the delayed search a report 
from NDR was mailed to both Wyoming and Nebraska, reporting 
that his license had been withdrawn by Colorado. Date and place of 
birth, Social Security or license number, sex, height, weight, and 
eye color were included to clinch the identification. 

Verification and further action on an NDR report of license with- 
drawal is the sole responsibility of the States themselves, but since 


' all States hold misrepresentation of driving record on an application 
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to be sufficient grounds for denying a license, both of Doe’s un- 
witting accessories in evading the consequences of Colorado’s judg- 
ment have ample reason to withdraw Doe’s newly acquired licenses. 
Furthermore, Doe’s record wili stay in the master file of the NDR 
until a certain statutory period has elapsed. Even after his driving 
privilege has been legally restored by Colorado, Doe will be well 
advised to be completely honest in answering the question, “Has 
your license ever been suspended or withdrawn?” 


The Withdrawal Record 


Now that we have seen the NDR in operation, even if on an 
imaginary case, let us look at the scale of data processing and at 
some of the details of the searching methods. During calendar year 
1972, the NDR filed just over 1,000,000 reports of license with- 
drawal or denial, for a daily average of over 4,000 actions. Over 
17,200,000 requests for file search were received, or about 68,000 
per day. About 375,000 older records were purged from the master 
file after their statutory applicability had expired, leaving a balance 
of more than 3,500,000 records valid. About three-quarters of one 
percent of the inquiries are identified as probably matching a record 
on the master file; of these, there were nearly 124,000 during the 
year, or about 490 per day. 

Title IV of Public Law 89-563 (80 Stat. 730, 401) sets out the 
legal basis for the content of the master file of the NDR: 


The Secretary [of Transportation] shall establish and main- 
tain a register identifying each individual reported to him by a 
State, or political subdivision thereof, as an individual with 
respect to whom such State or political subdivision has denied, 
terminated, or temporarily withdrawn (except a withdrawal 
for less than six months based on a series of nonmoving viola- 
tions) an individual’s license or privilege to. operate a motor 
vehicle. 


Although the language of the law doubtless makes up in precision 
for what it lacks in clarity, the intent seems to be fairly plain: the 
NDR keeps a record of persons who have been denied a license (for 
inability to pass one of the required tests, for instance) or who have 


had their license withdrawn. The NDR reported that in 1972, 48 ; 
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} percent of the withdrawals were for drunken driving, 15 percent for 


repeated moving violations, six percent for violation of restrictions 
(driving during a suspension, for example), another six percent for 
speeding, and the remaining 25 percent for 24 miscellaneous rea- 
sons. 

In reporting a denial or withdrawal to the NDR, a State must 
furnish at least the full name and birth year of the driver. For more 
positive identification, States are strongly urged to submit the full 
date and place of birth, an identifying number, either the Social 
Security number or a driver’s license serial number assigned by a 
State, sex, height, weight, and eye color. The date of withdrawal or 
denial, the reason for the action, and the date on which the driver 
will be eligible for restoration are also reported. The reason for 
denial or withdrawal is reported in the standard violation code let- 
ters of the American Association of Motor Vehicle parma teors, 
of which the following categories are most used: 


DI - Driving under influence DS - Disability 


{or impaired) 
FA ~ Fatality FE - Felony 
FR - Financial Responsibility | HR - Hit-and-run 
MR - Misrepresentation RK - Reckless 


RV - Repeated Violations 
VR - Violation of Restriction 


SP - Speeding 


The NDR can accept the withdrawal report as a filled-in form, 
but it prefers, and most States supply, magnetic tape in a standard- 
ized computer-readable format. 


F The Request for Search 


When a State wishes to have the NDR check its file for a record 
of an applicant, it prepares, either by hand, or as punched cards or 
magnetic tape, a request for search. The request must contain at 
least the surname and the initial of the given name and year of 


F birth, but other identifying data, as in the withdrawal report, are 
usually available. As the scenario indicated, States vary in their 


practices in submitting these requests for search. For 1972, the 


4 NDR reported that 19 States and the District of Columbia check 
‘ both original and renewal applications, 25 other States and Guam 
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check only original applications, while five other States, the Canal 
Zone and the Virgin Islands check only random samples or suspi- 
cious cases. About 80 percent of the search requests are submitted 
in the form of computer-readable magnetic tape. 


Rescission and Restoration 


If a State discovers that it has recorded a denial or withdrawal of ’ 


a license by mistake, or if a person successfully appeals the action, 


it is the responsibility of that State to notify the NDR so that the — 


record of the action can be purged from the files. Similarly, a State 
must report to the NDR that a license has been restored after the 


term of suspension expires. In both these cases, the NDR’s search 3 


program can guarantee a match only if the report of rescission or 


restoration contains exactly the same data as the original report of 4 
withdrawal. States that use manual record-keeping systems some- 4 


times cannot ensure that the two reports are exact duplicates, but 
States with automated systems have a number of technical methods 


at their disposal to generate the restoration report directly from the _ 
original, with very little chance for error. A report of rescission 4 
removes the report of withdrawal from the NDR file, but arestora- 3 


tion action is retained on file for the full statutory period. 


The Search Process 


The fundamental problem in the operation of the NDR is that of 


matching the identity of the subject of a search request with that of 3 
the subject of a withdrawal report. Although we may feel that we q 
have an intuitive understanding of the concept of identity, there are 


legal and practical difficulties behind the proof of identity that 


greatly complicate the operatioa of the NDR. To begin with, most 3 
people feel that their names are the most salient features of per- L 
sonal identification. Although there are undoubtedly many unique 
names, particularly if one includes the middle name, duplicate @ 
names are far from uncommon. A study of the surnames in the files 4 
of the Social Security Administration found the following charac- 4 
teristics in a relatively unbiased sample of the pattern of names ‘ 


borne by the entire American public: 
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e There are more than one million different surnames in 
the files of the Social Security Administration, considering 
only the first six letters of each surname. The number of 
different surnames, considering the entire surname, is not 
estimated but is surely much higher. (The NDR files carry 
surnames out to a maximum of fifteen letters.) 


e The ten thousand most common surnames account for 
only about half of the total number of Social Security 
accounts and account numbers. 


e The two thousand most common surnames include many 
names most people might consider to be uncommon, such 
as Ham, Paris, and Mock.? 


Even though names are not by any means unique identifiers, 
practically every personal data system orders its files on the alpha- 
betization of surname, first name, middle initial. Only in cases of 
restricted populations where the penalty for a mix-up is severe, such 
as customers of banks, do American filing systems depart from the 
pattern. (In Scandinavia, where surnames are extremely restricted, a 
universal identification number or other non-name identifier is a 
practical necessity.) 

There have been several methods developed for translating a 
name into an unambiguous number that can serve as index to a file. 
The oldest of these is the Russell Soundex system, in which the 
consonants of a name are assigned numbers on the basis of a 
phonetic code. Since most errors in the recording of names involve 
mistakes in vowels or the confusion of phonetically similar con- 
sonants, the Soundex consonant numbers group easily confused 
consonants under the same digit (C and K, for example, or D and T, 
would be assigned the same number). The first letter of the surname 
plus the Soundex digits for the next three consonants (or zeros if 
there are none) form an index key that is relatively insensitive to 
the common errors in recording names. 


‘Report of Distribution of Surnames in the Social Security Account Number File 
(Social Security Administration), 1964. 
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The Soundex system does not generate a unique number for each 
surname. It generates an index key under which many different 
(but related) surnames are grouped, usually alphabetized by first 
name. Thus, if Harold Baer’s name happens to appear as “Harry 
Bayer” or “Hal Beer,”’ the search for the proper record will have to 
cover a much smaller fraction of the entire surname file than if the 
file were arranged strictly alphabetically. In practice the Soundex 
code reduces the effect of spelling errors by about two-thirds. 

As an alternative strategy, the file may be arranged not by name 
at all, but rather by an arbitrary identifying number, sometimes one 
furnished by the subject (such as the Social Security number) or 
one generated by a special computer program (such as the IBM 
Personal Identification Code). Computer programs are available 
which yield a unique number of reasonable length for the less- 
common surnames, but the necessity of providing tie-breaking suf- 
fixes to individualize the numbers formed from the common names 
can lead to key numbers of unwieldy length. It is precisely this 
practical problem that underlies the whole subject of record linkage 
and that makes the Social Security number so attractive as an iden- 
tifier.? 

The master files of the Social Security system itself are arranged 
according to the Soundex system. Persons with identical names are 
further identified by date and place of birth and mother’s maiden 
name. The Social Security Administration takes special precautions 
in assigning account numbers to twins, triplets, etc. 

The NDR search program is designed to sacrifice some efficiency 
for the sake of thoroughness. There, identity is sought first by 
surname (up to 15 letters), then by first name, then by middle 
name, then by date of birth. If a data element in either record 
(search request or master file) is blank, the program scores it as a 
match. To print out a possible hit requires a match on at least the 
surname, One initial, and two elements of the date of birth. 

Thus, it is possible for Mary Smith born 10/12/30, to be printed 
out in response to a query for Melvin Smith, born 12/10/43, but 
only if there are no other data elements common to both records; 
that is, if Mary’s eye color is reported but not Melvin’s; Melvin’s 


* See E.D. Acheson, Medical Record Linkage (London: Oxford University Press), 1967, 
pp. 65-81. 
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height but not Mary’s, etc. Along with each possible hit, the com- 
F puter prints a score to evaluate the degree to which the two records 
match. In practice, of course, almost all record pairs have. more data 
F elements in common, and hits reported by the computer are much 
F more closely matched than this hypothetical example. 

Nevertheless, the search program is deliberately designed to be 
F tolerant of mismatch. This is necessary because height and weight 
‘both can change, as can driver license and Social Security number. 
Place of birth is a strong identifier, but is susceptible to too many 
Fambiguities (especially for persons born in metropolitan areas, 
: where, for instance, Staten Island = Richmond Borough = New 
F York City) to be amenable to computer processing. Thus, in spite 
+ of diligent efforts by programmers, efforts that have made the NDR 
- name-matching program probably the best in the country, the possi- 
| ble hits printed out still require, and receive, careful hand-screening 
F before they are released to the States. 

7 This screening process is the biggest single function of the NDR 
F staff; it employs nearly half of the organization’s personnel. Of the 
roughly 5,000 possible hits produced daily, only about 500 survive 
F human scrutiny and get passed on to the States as probable hits. 
e Even so, both the NDR handbook and the “Report of Inquiry 
7 Searched,” the report returned to a State, make it clear that true 
f identity between the applicant and the individual in the master file 
E of withdrawals and denials is only tentative. Furthermore, the file 
s at NDR is legally only an abstract of a record that exists in the files 
}of a State motor vehicles office. Technically, an NDR report is 
; furnished only to help officials in one State to locate the records a 
; driver may have established in another State. 


4 Impact on the Public 


F It is difficult to disagree with the fundamental premise of the 
* NDR: the public should be protected from irresponsible and in- 
F competent drivers, while retaining as much jurisdictional indepen- 
F dence as possible at the State level. But how effective is the NDR in 
F keeping problem drivers off the roads? 

fF Because States vary widely in their licensing practices, firm statis- 
s tics are hard to find. A recent survey of Virginia’s use of the NDR 
showed that the State had taken action against 78 percent of the 
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F who contacts the appropriate State officials by telephone and acts 
F rapidly to clear up confusion on justified complaints. Intervention 
F by the NDR staff is required once or twice per month. Since the 
‘ NDR processes about 1.4 million searches per month, NDR’s con- 
tention that misidentification is a ‘“‘one-in-a-million chance” seems 
t to be borne out. 


probable matches reported. Officials of Alabama estimate that they | 
cancel about 70 licenses per month as a direct result of information | 
supplied by the NDR. These figures extrapolated to the entire 
national population of licensed drivers yield an estimated 4,450 
actions per month, or about 53,400 per year. Assuming an NDR 
budget of roughly $1 million per year, and excluding costs incurred } 
at the State level, this amounts to a direct cost of about $19 per 4 
cancellation. 3 

On the other side of the ledger, the NDR suffers from the drag- ; 
net effect discussed in Chapter II of this report. Before the NDR ¥ 
was established, States ordinarily took the time and effort to search ‘ 
the records of other States only when the circumstances of a license 1 
application were unusual or suspicious. Fewer applicants were 4 
caught misrepresenting their previous driving record, but even fewer 3 
innocent victims of identity mismatches were forced to prove that 4 
their driving records were, in fact, clean. : 

The impact of mistaken identity on innocent applicants is, of 4 
course, heavily dependent on the policy of the inquiring State. To 4 
their credit, most States do treat the NDR search report as what it 1 
is meant to be—a cautionary flag. Only one State, as a matter of 7 
policy, places the burden of proof on the flagged applicant, and‘ 
even there, three-quarters of the identifications are correct. The q 
largest group of complaints coming to the NDR’s attention result 4 
from States failing to report the restoration of a license at the end } 
of the revocation period. The NDR has no statutory authority to 3 
force individual States to comply with any minimum standard of ’ 
reporting accuracy or completeness. Since a dependable, smooth- § 
running NDR is in the best interests of all States, however, com-§ 
pliance is gradually improving, and as more and more States turn to4 
automation for processing all motor vehicle records, the percentage4 
of errors and omissions is steadily decreasing. 

Of the cases of genuine mistaken identity which result in diffi- 4 
culty to an innocent applicant, NDR’s experience is that most are4 
so accidental that no amount of reprogramming of the computer4 
search routines would eliminate them. Nearly all involve persons? 
with the same names and date of birth, and with the other parti 
culars of identification either missing from the States’ reports or! 
coincidentally identical. Recognizing that even very unlikely events? 
occasionally happen, the NDR maintains a service representative 


| Use of the Social Security Number 


From the NDR’s point of view, the Social Security number is not 
a universal identifier, but simply one more readily obtainable ele- 
' ment of personal identification to be used as a “tie-breaker” when 
- more than one record in the master file has the same or similar 
é name and date of birth as the subject of a query. Only ten States 
F use the Social Security number as the driver license number, but 
. that use seems to be spreading inexorably. In practice, the NDR 
F accepts either a State license number or the Social Security number, 
‘ or if special arrangements are made to alter the file format, both 
‘ humbers. The NDR is aware that many people have more than one 
‘ Social Security number, and that a few numbers have been erron- 
F eously assigned to more than one person, but neither of these con- 
¥ ditons has an appreciable impact on everyday operations. 


4 Improper Uses of NDR Data 


_. Section 2 of Public Law 89-563, the statutory basis for NDR’s 
§ operation, specifies that 


Only at the request of a State, a political subdivision there- 
of, or a Federal department or agency, shall the Secretary 
furnish information contained in the register. . .and such infor- 
f mation shall be furnished only with respect to an individual 
applicant for a motor vehicle operator’s license or permit. 


. he NDR staff takes this responsibility very seriously and has de- 
signed strong protections into the data-handling process at every 
Step of the operation. No subpoena has ever been issued for infor- 
mation from the master file, a fact that probably reflects two dif- 
, ferent things: first, the information contained in the master file 
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In connection with a scheduled rewriting of the NDR computer 
program to conform with new Federal standards in the program- 
rming language, the NDR has let a contract to the Safety Manage- 
sment Institute for a thorough study of the future need and objec- 
stives of both the States and the Federal government in the inter- 
estate exchange of driver record information to be serviced by the 
sNDR. In particular, the contractor will examine the possibilities of 
roperating the NDR as a shared-time system with direct-access 
+ computer terminals located at the offices of State’motor vehicle 
f authorities. (Systems of this sort are already in operation in Sweden 
5.and Great Britain where they have not only improved the control of 
drivers who attempt to avoid license suspension by moving from 
one jurisdiction to another, but also have improved the general level 
rof service to all applicants by speeding the processing of licenses 
from application to issué.) 


would not be of much use in law enforcement or in any other 3 
intelligence activity outside the driver licensing speciality; and, 
second, most law enforcement agencies have such good connections 
with the motor vehicle officials that getting a query into the NDR } 
through regular channels would be no problem at all, provided the j 
inquiring agency already knew enough about the suspect to insure a 4 
probable match. 

Occasional requests come to the NDR from persons outside the 4 
motor-vehicle community. These are usually from persons who have } 
misinterpreted newspaper articles about the NDR and believe that it ‘ 
is a master file of all driver’s licenses ever issued, and who want to‘ 
be able to prove that they once held a license and therefore should 4 
not be forced to take a road test in connection with an application 4 
for a new license. In such cases, the NDR explains its file and offers 
the asker the appropriate address to contact the official record. 


keeper of the original State. 4 
f The NDR and Safeguards for Automated Personal Data Systems 


Future Developments : : ; : 
P The NDR is an interesting and instructive test case for the safe- 


pguards for administrative personal data systems recommended by 
; the Secretary’s Advisory Committee in Chapter IV of this report. 
b As we have seen, the NDR is operating well in its statutory func- 
tions and although there are occasional examples of unfair treat- 
-ment to indivduals, these happen through circumstances beyond the 
gcontrol of the NDR itself, and are readily remedied through special 
actions of the NDR staff. Let us examine the recommended safe- 
Esuards as they would apply to NDR to see whether they would 
s forestall all unfair use of NDR data without placing a crippling 
Fburden on the system. 

& The first general requirement of the safeguards, [.A., is that data 
emay be transferred from a manual system into an automated system 
that is not protected by the safeguards only with the informed 
-consent of the data subject. The NDR is exclusively an automated 
system; all its records about drivers are part of the system. Accord- 
singly, requirement JA. is not pertinent to the NDR and transfers of 
hdata therefrom. 

s The general personnel requirements of the safeguards, 1B. (1), 
2) and (3), relate to the responsibilities of the supervisors and 


The present state of the NDR is the product of more than 12 
years of evolution from the Register’s beginnings in 1960. At first, 4 
the NDR master list was restricted to reports of withdrawals that 4 
resulted from drunken driving or culpable fatal accidents. In 1966, 4 
the law was amended to permit filing under considerably wider 4 
latitude. There are occasional suggestions from highway safety 4 
groups that the NDR become a clearinghouse for all traffic offenses, 
whether or not they result in the withdrawal of a driver’s license. ’ 
The most specific of these suggestions came from Franklin M. 4 
Kremel, President of the Automobile Manufacturers’ Association of ; 
America in testimony before the Subcommittee on Roads of the 4 
House Committee on Public Works on April 12, 1972. There, Mr. 4 
Kremel proposed that “[traffic] offenses committed in any state4q 
which are subject to action in any other state go on record in the 
driver’s home state.” The same clearinghouse mechanism that the4 
NDR now provides could accomplish such a goal, but the volume of 
data which would pass through such an ambitious system would$ 
require expansion of the present NDR by a factor of at least one? 
hundred, as well as much stricter standards of driver identification4 
than many States now use. 
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F tions. Within the present limited scope of NDR operations, there is 
+ little risk of individuals being hurt by the quality deficiencies that 
may exist in the NDR State-agency-furnished data base. As we 
' noted earlier, no actions against individuals are supposed to be 
F taken on the basis of the reports of probable matches that are 
furnished by the NDR. Furthermore, the States have a collective 
§ incentive to supply accurate and timely data, because the utility of 
f the NDR system for them depends on their doing so. 

; If the purposes of the system were broadened so as to require a 
: significant increase in the scope of the NDR’s data base, the diffi- 
: culty of assuring data quality could increase to the point that the 
} tisk of harm to individual drivers might become substantial. 

- The NDR maintains a data purging schedule such as that required 
, by LB. (8). A feature of the daily file maintenance program checks 
: each entry for date and. automatically selects those eligible for 
F purge. 

The public notice requirement of /7. should present no problem 
p. for any system; they have in principle already been met in part for 
» the NDR through Department of Transportation booklets and press 
b. releases. Some items of information, called for in the notice require- 
; ment, which have not been publicized, could easily be added to a 
; future publication. 

4 Rights of individual data subjects are enumerated below as they 
-appear in part Z//, of the safeguard requirements. We summarize 
y them for purposes of the discussion that follows: 


employees of a system. As the foregoing description of the opera: ! 
tion of the NDR has outlined, adherence to these requirements 4 
would be consistent with the NDR’s existing operating philosophy 
and practices. 

The requirement, 1B. (4), for security precautions against un- 4 
authorized access, theft, or malicious destruction of the data is 4 
probably met to a sufficient degree, considering the anticipated 4 
threats to the system, by the security measures in force. q 

The restriction on transfer of data to a less secure system called § 
for by requirement 1B. (5) appears to be met by present NDR + 
practice as governed by the NDR legislation. The NDR has no statu- q 
tory authority to enforce data security requirements on the li- 4 
censing agencies to which it transfers data. Therefore, if the NDR 4 
has reason to doubt that any particular transferee of its data is 3 
adhering strictly to statutory limitations on the data interchange g 
purposes of the NDR system, it can and should refrain from fur- § 
nishing that agency with data. q 

LB. (6) requires that a system maintain a record of access and use ¥ 
of the data on file. There is an internal accounting program in the 
NDR to record each possible match and to print out every change 
in the master file. The mere comparison of an inquiry against ag 
name in the NDR does not produce a record unless there is at least 
a possible match. : 

The requirement of /.B. (7) that a system maintain data with 
appropriate accuracy, completeness, timeliness, and pertinence will 
present problems for intergovernmental clearinghouse systems sucha 
as the NDR and the FBI’s National Crime Information Center. (The 
NDR is almost wholly dependent for the quality of its data base ons 
the State agencies that furnish records of license denial and with-3 
drawal.) Reflecting the separation of powers between the States and 4 
the Federal government, the NDR is limited under its legislation to’ 
rely on moral suasion and exhortation to convince the State’ 
agencies to conform to data quality standards for the system. The! 
threat of expulsion from the system of a State that fails to meet 
NDR standards is not wholly acceptable, since the effect of exclud4 
ing one State would harm other States as well. In practice, the NDR 
offers a program of voluntary technical assistance to help States tod 
perfect their record-keeping systems, but it refrains from putting 
too much Federal pressure on politically sensitive State administra3 


(1) Inform an individual asked to supply data for the system 
whether he may legally refuse to supply the information re- 
quested. 


- Since the NDR system does not obtain data about individuals by 
B Tequesting it from them, occasion for complying with this request 
5 would not arise for the NDR. 


(2) Inform the individual, upon his request, whether he is the 
F subject of data in the system, and, if so, make a copy available 
a to him upon request. 
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licenses for drunken driving more often than non-alcoholic drivers.? 
' (They had—about ten times more. often.) Two points deserve to be 
+ taised in mitigation: first-the purpose of the study is clearly related 

‘to. the promotion of traffic safety,’ the fundamental purpose for 
' which the NDR exists: second, the report of the study makes it 
; plain that the anonymity of the subjects of both registers was care- 

fully protected. Nevertheless, use of NDR data for research pur- 
poses is outside the authorized and stated purposes of the system. 


The NDR could in practice comply with both elements of this ' 
requirement without difficulty provided the individual’s request } 
furnished identifying data about himself that closely corresponed to | 
those furnished by the reporting agency in a record of his license 
denial or withdrawal. A search of the NDR file with mismatching $ 
query data would fail to find a record that was in the file. ; 

As a legal and policy matter, the following points deserve men- | 
tion. The NDR interprets its statute as authorizing it to provide ! 
data only to driver licensing agencies. Specific legislation might 4 
therefore be required to enable the NDR to furnish data directly to 4 
a requesting individual. (The present statute would appear not to 4 
preclude the NDR from informing an individual of the mere fact ¢ 
that he is, or is not, in its file.) If a request for data were made on d 
behalf of the individual by a driver licensing agency, the NDR might 4 
properly be able to furnish the data consistent with the present 4 
statute, though it can be argued that even a licensing agency can % 
only request an NDR report about an individual when he is an 4 
applicant for a license. ; 

As a policy matter, it might be argued that an individual should 4 
be precluded from learning about his NDR record status on the * 
ground that if he learned that the NDR did not have a record of 4 
some license withdrawal he had suffered, he would be free to cir- 3 
cumvent the purpose of the NDR by making a fraudulent applica- 4 
tion, secure in the knowledge that he would not be detected. This 
argument might be the basis of exempting the NDR from safeguard P 
requirement JIT. (2). 3 


(4) Inform the individual, upon his request, about all the uses 
made of the information about him, including the identity of 
all persons and organziations involved. 


This requirement would present no technical difficulty for the 
4 NDR, since a record of all matches disseminated to the States is 
. Iade as a matter of routine. The passive nature of the NDR as a 
; Clearinghouse makes it very unlikely that any match report would 
» ever be generated which did not originate in the data subject 
¢ himself making an application for a license. 


(5) Assure that no data about an individual are made available 
from the system through compulsory legal process, unless the 
individual has been notified of the demand. 


} The managers of the NDR report that there has never yet been a 
s subpoena issued against data in the file. This probably reflects the 
+ fact that a law-enforcement agency would have much more direct 
f access to the same information from the original court or licensing 
F agency records. If the police wanted to fish, however, to see 
¢ whether a suspect had a license withdrawal in any State, access to 
# the NDR system could save much time and searching. In such a 
p case, it would be a tempting solution merely to file a bogus license 
, 4pplication through the normal channels of query. The present law 
= §6does not allow this subterfuge. An amendment proposed in 1971 
F (H.R. 9352, 92nd Congress, Ist Session) would have allowed the 


(3) Assure that the data are used only for the stated purposes 
of the system, unless the informed consent of the subject is 
obtained. 


Adherence to this requirement by the NDR is apparently guaran- 4 
teed by the strict restriction on access and use imposed by the NDR @ 
statute. That law appears to have been bent, however, in at least 4 
one instance. In a research study on the driving records of diag-: 
nosed alcoholics, the names of known alcoholics from the Maryland 
Psychiatric Case Register (a computer-based file of patient records 4 
from Maryland’s mental-health institutions) were matched against 4 
the NDR file to determine whether clinical alcholics had lost their; 


j > Rosenberg, Nathan; Goldberg, Irving D.; Williams, George W., “Alcoholism and 
Drunken Driving—Evidence from Psychiatric and Driver Registers,” Quarterly Journal of 
» Studies on Alcohol, Vol. 33, No. 4 (December 1972), pp. 1129-1143. 
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NDR to furnish information to a judge upon his written request, if 
the information were to be used for consideration in the imposition 
of an appropriate sentence. 


(6) Maintain procedures that allow the data subject to contest 
the accuracy, etc., of the data and to correct or amend faulty 
or controversial information. 


As the NDR presently operates, once a data subject has 
established, through having his license application erroneously 
rejected, that the expiration or rescission of a prior license 
suspension has not been properly recorded in the NDR file, the 
NDR management had developed procedures for working with the 
appropriate State officials to correct the error in its file. (These 
procedures could readily be made part of the public notice 
statement. ) 


Summary 


In nearly 12 years of operation, the NDR has achieved a balance 
between the pressures of its mission to protect the public from 
drivers of demonstrated incompetence or irresponsibility and the 
need of the public to be protected from the potential excesses of an 
intractable computer-based dragnet. Its operational efficiency is 
evident in the speed and economy with which the records are 


searched. Its attention to the protection of the citizens is evident in j 
the vanishingly small number of genuine complaints that arise, and 4 


in the dispatch with which those complaints are resolved. 
In the NDR, this balance has evolved through a period of time 


that is long in comparison to the age of many computerized 3 


systems. The procedures and safeguards developed through the 
experience of the NDR and other well-adapted, stable systems 


deserve to be widely imitated in many new systems that are stillin 4 
their awkward youth or even still in gestation. The fundamental 4 
purpose of the proposed safeguards of the Secretary’s Advisory % 
Committee is to distill the qualities that make the good systems ¥ 
good and to apply them to all systems to forestall the growth of 


bad ones. 
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Testing the proposed safeguards against the actual conditions of 
operation of the NDR shows that introduction of the safeguards 
would by no means interfere with the work of a system of 
demonstrable merit. Neither would the continued operation of the 
NDR depend on significant deviation from the safeguards, These are 
clear and encouraging signs that both the NDR and the safeguards 
may be expected to prove durable and useful. 
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e ment of computerized information and intelligence systems. It has 
i not, however, given adequate attention to the warnings of the 
a Crime Commission or demonstrated adequate appreciation of the 
fF consequences Of a massive accumulation of personal dossiers at the 
* national level. 

F Millions of dollars of { National] Institute [of Law Enforcement 
* and Criminal Justice] and discretionary grants have supported the 
creation of a national computerized file of criminal histories that is 
fed by LEAA block grant-funded state information systems. The 
initial design of the system followed the decentralized model 


APPENDIX E 


eeitslgrs 


Computerized Criminal Information 
and Intelligence Systems* 


The application of computer technology to criminal justice 3 
information systems was recommended by the President’s Crime 4 


Commission! as an important tool for improving the deployment of 
criminal justice resources and for keeping track of criminal of- 
fenders. The commission warned, however, that special precau- 
tionary steps would have to be taken to protect individual rights 
and recommended that primary control of computerized informa- 
tion systems be retained at the state and local levels to avoid the 
development of a centralized file subject to Executive manipula- 


tion. 


ment of Justice] has effectively concentrated a variety of resources, 


including research, discretionary and block grants, in' the develop- ; 


*Reprinted, 
Performance Under Title I of the Omnibus Crime Control and Safe Streets Act of 1968, 
prepared under the direction of Sarah C. Carey for the Lawyer’s Committee for Civil 
Rights Under Law (Washington, D.C.), 1973, Chapter Il, pp. 41-49. The Acting Director 
of the FBI submitted comments on this paper for the record of Hearings on Nomination 
of Louis Patrick Gray HT, before 
93rd Cong., 1st Session (1973); 
Hearings. 


1 The President’s Commission on Law Enforcement and Administration of Justice. The + 
Commission’s report entitled, The Challenge of Crime in a Free Society, was published in 4 


February 1967. 


ran 


LEAA [Law Enforcement Assistance Administration, Depart- q 


with permission, from Law and Disorder Il]: State and Federal * 


the Committee on the Judiciary, United States Senate, ; 
the comments will be found at pp. 265-268 of the q 


recommended by the Crime Commission, but in January 1970, 
* former Attorney General John N. Mitchell decided—over the objec- 
a tions of LEAA—to make the system a more centralized one. To 
® accomplish this purpose, he transferred the file system from LEAA 
to the FBI. ; 
LEAA has simultaneously given the states substantial grants to 
create intelligence systems directed primarily toward organized 
crime, civil disorders and the activities of dissenters. . .. Some of 
these files are being maintained by the same agencies that operate 
».. the more reliable information files, creating the possibility that the 
y.. two will be used jointly. At the federal level the Attorney General 
. has the power to combine intelligence with information files, but he 
apparently has not exercised that power, on a regular basis. 
All of this has occurred without broad public policy debate 
; about the desirability of the new systems and with little serious 
effort to determine whether the contribution they make to con- 
trolling crime outweighs their potential for eroding privacy and 
individual autonomy, or whether that potential can be reduced or 
controlled. 
LEAA’s investment in information and intelligence systems must 
be placed in the context of the over-all Justice Department strategy 
for strengthening the law enforcement capability of the federal 
government and for building up the powers of police and prosecu- 
tors at all levels. During his tenure as Attorney General (1968-72) 
Ee John N, Mitchell made it clear that these were major goals of his 
administration. To this end he greatly expanded federal surveillance 
of citizens thought to be threats to internal security, justifying his 
: action on the theory that the Executive has inherent and discretion- 
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ary power to protect itself.? He made aggressive use of existing 
laws, and sought and obtained significant new legislation to arm 
police and prosecutors with expanded authority to monitor 
individual conduct in order to prevent or punish potential crimes.’ 
These developments, when viewed in conjunction with the new 
surveillance technology funded by LEAA grants and the national 
computerized file on criminal offenders, greatly increase the 
capability of the government to monitor the activities of all citizens 
and to step in to prevent or punish those activities where it chooses 
to do so.* 

The new criminal justice information network can be used in 
conjunction with the vast government and private computer 
dossiers being compiled by credit bureaus, insurance companies, 
welfare agencies, mental health units and others.’ Cumulatively, 
these files threaten an “information tyranny” that could lock each 


?See the statement of William H. Rehnquist, Hearings on Federal Data Banks, 
Computers and the Bill of Rights, Senate Subcommittee on Constitutional Rights, 92nd 
Congress, ist Session (February-March 1971) p. 597, et seq.,, March 11, 1971. (Referred to 
hereafter as Senate Constitutional Rights Subcommittee Hearings.) The Supreme Court 
rejected the argument that warrantless wiretapping is permissible, in United States v. 
United States District Court, 407 U.S. 297, 40 U.S.L.W. 4761 (1972) 

3For example, under Mitchell’s leadership the Justice Department implemented Titles 
ii (expanding federal wiretapping powers) and III (weakening the strict exclusionary rules 
developed after the Supreme Court’s ruling in Miranda v, Arizona) of the Safe Streets Act 
of 1968. In addition the department has sought and obtained new legislation such as the 
D.C. Crime Bill, the Organized Crime Act of 1970 and the Comprehensive Drug Abuse 
Prevention and Control Act of 1970, which greatly expanded federal law enforcement 


powers, These three bills include a number of provisions of dubious constitutionality, such 4 
as authority for preventive detention of suspects, for police to enter homes without 4 
warning (‘‘no-knock”), for courts to impose greatly expanded sentences for “dangerous 3 


special offenders,” and for grand juries to function with increased powers. 
*A recent federal court ruling on another matter describes the congressional intent not 
to create a national police force through the LEAA program. In Ely v. Velde, 451 F.2d 


1131, at 1136 (4th Cir. 1972}, the court stated: “The dominant concern of Congress’ 4 


apparently was to guard against any tendency toward federalization of local police and law 
enforcement agencies.” Congress feared that “overbroad federal control of state law 


enforcement could result in the creation of an Orwellian ‘federal police force’... .The dq 
legislative history reflects the congressional purpose to shield the routine operation of 3 
local police forces from ongoing control by LEAA~a control which conceivably could 3 


turn the local police into an arm of the federal government.” 


5The courts can and do protect individual’s constitutional rights when they are 4 
specifically threatened by overt government action, But judicial intervention is, by nature, 4 


episodic and primarily remedial rather than preventive. Until governmental overreaching 


ripens into concrete, demonstrable injury—such as the use of illegal evidence at trial, the 4 
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al 


* citizen into his past; they signal the end of a uniquely American 


promise—that the individual can shed past mistakes and entangle- 
ments, and start out anew. 

There are no federal and few state laws regulating the national 
criminal information system or its components. Few laws contro] 
the host of related public and private information systems. And any 
constitutional protections that exist are limited and narrowly de- 
fined.‘ Without controls, the systems continue to evolve primarily 
by force of their own momentum. In part through the well-meaning 
actions of LEAA the prophecy of Dr. Jerome Weisner, MIT presi- 
dent, is being realized: 


Such a depersonalizing state of affairs could occur without overt 
decisions, without high-level encouragement or support and totally 
independent of malicious intent: The great danger is that we could 
become information bound, because each step in the development 
of an information tyranny appeared to be constructive and useful.” 


Computerized Criminal History Files 


When the LEAA program began [in 1969], a few states had 
established centralized files of criminal offender histories to assist 
police departments in the identification and prosecution of sus- 
pects. For example, New York State’s Identification and Intelli- 
gence System (NYSIIS), operating on an annual budget in excess of 
$5 million, had more than two or three million fingerprints and 


d 500,000 summary criminal histories on its computer. Additional 


- (Continued) 
loss of employment or the disbanding of a political organization—the courts will not 
recognize that it is harmful. See, for example, Laird v. Tatum, 408 U.S. 1, 40 U.S.L.W. 
4850 Gune 26, 1972), rejecting a claim that military surveillance of persons involved in 
domestic political activities violates the Constitution. 

: “In many ways these data banks are far more threatening than those maintained by 
criminal justice agencies. The over-all problem of computers and privacy is well presented 


ir Miller, Assault on Privacy: Computers, Data Banks and Dossiers (1972), and in the 


hearings cited above, n.2. 
7 Senate Constitutional Rights. Subcommittee Hearings, March 11 , 1971, p. 671. 


*NYSIIS performs a variety of functions in regard to this data: fingerprint processing 
not yet computerized), name searching, wanted system (NCIC interface), personal 


appearance/arrestee file searches and review of latent fingerprinting material.(NYSHS Fact 


Str SHES orate 


POR STROMA A amt ces, en Ra ct eee teers = ' 


BASS TRE aie n rum c te. 
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; Today it is clear the NCIC and the few systems such as NYSHS 
F were relatively primitive, first generation data banks. In, the past 
p three years, with the investment of more than $50 million in 
f ‘Institute, discretionary and block grant funds, LEAA has launched 
f 4 program that by 1975 promises computerized criminal history 
files kept by all 50 states that will be tied in to (“interfaced with’’) 
F a massive national file run by the FBI. The states will place in the 
* central FBI file only information of public record pertaining to 
. people who have been accused of “‘serious and other significant 
violations.” The central file will consist of comprehensive histories 
F Of persons who violate federal laws or who commit crimes in more 
f than one state and summary histories on offenders who have been 
‘ involved solely in intrastate crimes.’ ° Any authorized inquirers' ' 

;, will have access to the central records, and will be referred to the 
» relevant state files for further information. The individual state 
ie: systems will include whatever information or intelligence the states 
ms: choose to put into them and will be accessible on terms defined by 

each state. 

. This ambitious centralized program developed out of the System 
a for Electronic Analysis and Retrieval of Criminal Histories (Project 
i. SEARCH), a $16-million demonstration project supported by 
bE LEAA discretionary and Institute grants, in which 20 states shared 
¢ criminal histories through a computerized central data index.'? 

. SEARCH was intended as a prototype for a national computer file 
_ which would facilitate prompt apprehension of interstate felons.’ ? 


fingerprints and criminal histories existed in manual files. Included 
in both the files were “criminal wanteds” for felonies and. misde- 
meanors, escapees from penal institutions, parole and probation 
absconders, elopees from mental institutions and missing persons. 
More than 3,600 local law enforcement agencies submitted informa- 
tion to the files and used them to check out suspects and new 
arrests. Other states, such as California, Michigan and Florida, were 
developing systems, but for the most part centralized, computerized 
record-keeping was rudimentary. The extent to which the state files 
expedited or otherwise improved law enforcement had not been 
demonstrated. 

At the national level the FBI maintained the National Crime 
Information Center (NCIC). This system operated through local law 
enforcement control terminals (as of early 1972 there were 102 
terminals, of which 48 were computerized) that put the FBI in 
direct touch with approximately 4,000 of the nation’s 40,000 local 
law enforcement agencies. NCIC cost about $2.3 million per year to 
operate. The system contained files on stolen items, such as 
vehicles, firearms, boats and securities, and on wanted persons. Of 
the 3.1 million NCIC files, only about 300,000 were active criminal 
offender records. On an average, the NCIC system found a record or 
produced a “hit” on about 6 percent of the queries it received from 
local agencies (some estimates have been as low as 2 percent). In 
addition to the NCIC system, the FBI maintained more than 190 
million identification and fingerprint files and approximately 20 
million criminal offender records in permanent manual files. 

Federal, state and local law enforcement agencies all contributed 
information to and could extract information from the NCIC files. 
In addition, NCIC records were searched as part of the identifica- | 
tion service that the FBI provides for agencies of federal and state 4% 
governments and other authorized institutions, including hospitals 4 
and national banks, which seek information on an individual’s arrest § 
record for purposes of employment clearances and licensing.® 4 


of NCIC for this purpose, The coust did preclude the distribution of arrest records except 
E for law enforcement and federal employment purposes, but Congress overruled this 
.: exclusion in approving the FBY’s 1972 appropriation (See n. 29, infra} 
a ?°Summary criminal histories contain public record information such as fingerprints 
F.. (where available), personal description, arrests, charges, dates and places of arrest, arresting 
4 agencies, court dispositions, sentences, limited institutional data and limited information 
E. concerning parole and probation. 
*1 “Authorized inquirers” include any agency that now participates in the FBI’s 
system, plus any agency subsequently permitted to do so by the Attorney General. 
..'?The states participating in the’ SEARCH experiment were Arkansas, Arizona, 
; Gilifornia, Colorado, Connecticut, Florida, Georgia, Iinois, Maryland, Massachusetts, 
Michigan, Minnesota, Nebraska, New Jersey, New York, Ohio, Pennsylvania, Texas, Utah 
nd Washington. 


= "PAs the FBI put it: “Fhe purpose of centralization. . .is to contend with increasing 
criminal mobility. (NCIC Advisory Board, “Computerized History Program: Background, 
(Continued) 


9Executive Order 10450 (April 1953) calls for an investigation of any individual 3 
appointed “in any department or agency of the government,” and provides that “inno ¥ 
event shall the investigation include less than a national agency check (including a check of j 
the fingerprint files of the FBI), and written inquiries to appropriate local law 4 
enforcement agencies...” In Menard v, Mitchell, 328 F, Supp. 718 (D.D.C, 1971), the 3 
court suggested the Executive Order should be reexamined, but refused to enjoin the use @ 
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The project was funded through the California Council on i 


Criminal Justice. Primary developmental responsibility was con- 
tracted to Public Systems Inc. (PSI), a research and development 
firm based in San Jose.’ * PSI was aided by task forces and advisory 
committees composed of representatives from the participating 
states. The major assignment of the SEARCH group was to develop 
standard, computerized criminal history records, summaries of 
which could be filed in a central index. Computer terminals in the 
individual states could submit information to the central index and 
query it for identification of suspects. If the central index con- 
tained matching references concerning the subject of a query, the 
summary index data was transmitted to the inquiring police officer 
and he was told which state had the full file on the suspect. The 


officer could then request and obtain a copy of the suspect’s full 4 


record via teletype from the state agency. The initial focus of the 
system—like its predecessors—was on police requirements; but the 
project design anticipated subsequent development of a capability 


to service the information needs of courts and corrections officials 3 


as well, '5 
On March 9, 1971, LEAA Associate Administrator Richard W. 
Velde testified before the Senate Subcommittee on Constitutional 


Rights that: 
The basic problems facing SEARCH in the demonstration 


period have been solved. A common format for criminal 
histories was developed, and in machine-readable form. Each 


(Continued) 


Concept and Policy,” as approved March 31, 1971, and amended Aug. 31, 1971.) FBI data 4 
show that 25 percent of arrests involve interstate movement by felons. A preliminary % 
survey by SEARCH put the figure at around 27 percent but estimated that most of these 4 


arrests were in contiguous states. 


'4Eight of PSI’s key personnel are from Sylvania Sociosystems Lab (a research and 4 
development arm of GTE Sylvania), and one is the former head of California’s SPA, the 


California Council on Criminal Justice. 


18We disagree with LEAA’s assumption that across-the-board increases in offender # 
data are desirable for all decision-making processes within the criminal justice system. For J 
example, arrest records not followed by convictions or juvenile offenses probably should % 
not be made available to sentencing judges or to parole boards. LEAA recently made a 4 
grant to the Federal Judicial Center to finance the transfer of all data processed through 4 
the Federal courts to the Justice Department. Sen. Ervin has questioned the propriety of 
this arrangement under the separation of powers principle. (Letter of July 27, 1972, from 4 


Sen. Ervin to the Hon. Alfred P. Murrah, Federal Judicial Center.) 
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' active participant converted at least 10,000 felony records to 


the SEARCH system for the demonstration. As the test period 
showed, a state making an inquiry of the central index with 
perhaps no more information than a driver’s license number 
could find out if that person were in the (national) index and 
then be switched to the state holding the complete criminal 
history. It takes merely seconds to do all of that and receive 
the information.’ ¢ 


Computer experts were less sanguine about the success of the 


4 experiment. Some noted that only a small number of the SEARCH 
3 : states had actually participated in the demonstration and suggested 
' that the test simply duplicated what the FBI’s NCIC had already 


demonstrated. Datamation magazine reported on the SEARCH 


# demonstation as follows: 


Ten states officially participated in the demonstration, but 
only New York made any extensive operational uses of the 
system, and a total of only five states conducted any 
demonstrations. .. SEARCH met its demonstration objectives 
from a conceptual point of view, but did not achieve much 
operational success, because of design compromises, lack of 
updating capability for the central index and failure to develop 
record formats acceptable to all users, among other reasons. ” 


Despite these criticisms, and over the protests of LEAA Director 
Jerris Leonard and the states that had participated in the project, 
EARCH became the launching pad for an expanded and “im- 


-proved” criminal offender system to be operated by the FBI. 
-Fransfer of system control to the FBI meant that, instead of a 
E: network of state-controlled files tied into a limited central index, 
4 the SEARCH system became a national file run by a line operating 
ye agency. More importantly, judging from the debate on the subject 
; that raged for months, FBI control meant diminished operational 


tandards for the system’s integrity, and attenuation of safeguards 


‘for individual privacy. 


16 Senate Constitutional Rights Subcommittee Hearings, p. 611. 
17 Phil Hirsch, Datamation magazine, June 15, 1971, pp. 28-31. 
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The conflict between the FBI and the Project SEARCH group ~ 


had emerged in May 1970. In a letter dated May 8, 1970, Jerome J. 
Daunt, then director of the FBI's NCIC system, wrote to the 
SEARCH group complaining about various recommendations in the 
Interim Report of the SEARCH Committee on Security and 
Privacy. Among other items, the letter stated: 


Throughout the report Project SEARCH is described as an 
ongoing system. Future developments of this system are not 
the proper objectives of the Project SEARCH group.... 

In view of the limited purpose of the Project SEARCH, 
further studies in the area of privacy and security are not 
jusitified. If there is a need, it should be done by some other 
body. 


The conflict became more pointed. In a letter of Oct. 15, 1970, 
John F.X. Irving, then chairman of the state planning agency’s 
executive committee, wrote to Attorney General Mitchell pro- 
testing the proposed transfer of control over the SEARCH system 
to the FBI as well as certain “changes in direction” of the system. 
Irving complained that duplication would result because the states 
intended to continue developing their own system * and protested 
that the FBI’s plan to focus on data useful to the police only 
ignored the needs of courts and corrections agencies. Irving also 
argued that the FBI system, by dealing directly with city police 
departments instead of going through the states, would subvert the 
federal-state relationship contemplated by the Safe Streets Act. 

The strongest protest in Irving’s letter was directed to the 
potential invasions of privacy inherent in a federal information 


system. 


Last, but certainly not least, the FBI’s proposed file is 
significantly different in both conception and content from 
the state-held files contémplated by Project SEARCH. The 
basic underlying concept of Project SEARCH is that no new 
national data banks or criminal history files should be created 


ge 
18 By altering the basic system design for SEARCH, FBI requirements could increase 4 
o 40 percent, apart from the possible duplication involved. Interview with 4 


the cost by 30 t 
Jerry Emmer, LEAA official. 
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because of the inherent threats to individual privacy and the 
security of records. The Project SEARCH operating concept is 
state-held files with a national index or directory of of- 
fenders. .. .The FBI file, on the other. hand, would contain as 
much detailed data on offenders as the FBI was willing and 
able to collect. It is not a true index but rather a federal data 
bank on offenders. 


The FBI countered that expanding SEARCH as a state- 


dominated system would increase the over-all costs and would 


duplicate the NCIC system. More importantly, a system subject to 


the control of 50 state executives could be abused too easily. As 


Jerome Daunt put it: “If the governor controlled the system, he 


5. could control who gets elected.” 


The protests by the states and by Jerris Leonard were to no avail. 


4 The FBI took control of the SEARCH index in December 1970. 
4 The decision was John Mitchell’s. In November 1971 the bureau 
% notified the press that: 


The Federal of Investigation has begun operation of a com- 
puterized criminal history data bank that eventually will give 
police almost instantaneous access to an individual’s criminal 
arrest record from all 50 states and some federal investigative 
agencies and the courts... .The system. . .will make available 
by 1975 on a nationwide computer network most of the 
information now handled through the FBI’s vast criminal 
record and fingerprint files... .It replaces a pilot effort, called 
Project SEARCH, in which only a computerized index was 
maintained, capable of telling police if a suspect had a 
record,! 9 


' Although the November 1971 announcement signaled the end of 
LEAA control of the system, the agency has continued to be in- 


. volved in the development and expansion of information systems. 
a Project SEARCH has been given discretionary and research grants 


for developing related technology, such as satellite transmission of 


a information, automatic fingerprint indentification/veritication and 
; additional work on transaction-based criminal justice statistics. And 


19 Justice Department news release, November 1971. 
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LEAA block grants have continued to serve as the primary source 
of funding for the state information systems that will be the major 
components of the NCIC criminal history information system. 
Despite LEAA’s expressed concern for privacy considerations in the 
operation of information systems, it has not sought to precondition 
the use of its funds for such systems on the development by the 
states of adequate statutory or regulatory safeguards. 

It is difficult to obtain reliable information concerning the 
present or projected scope, cost or structure of the new FBI data 
bank. At the federal level a variety of agencies are scheduled. to 
participate in the system, most of which have been previously active 
in the NCIC system. Among others, the system will receive data and 
answer inquiries from the Secret Service, the Internal Revenue 
Service, the Alcohol and Tax Division of the Treasury Department, 
the Bureau of Customs, the Immigration and Naturalization Service, 
the Bureau of Prisons, the U. S. Attorneys and U. S. Marshals. As 
far as the states are concerned, at the time of the FBI’s November 
1971 press release, only one state—Florida—was actually contri- 
buting information to the file. The next two states—New York and 
California—were not scheduled to participate until July 1972. 
(.. California will probably not be ready for full participation until 
1973.) In most instances, the states do not have their own systems 
operational—or even designed. 

Official estimates of the total number of individuals who will 
eventually be included in the national file range from five million 
(the FBI estimate) to 20 million or more (the LEAA estimate). The 


number of files in the total system including all the state files will, | 
of course, be much greater. Neither LEAA nor the FBI will provide 4 


information on the total costs involved. 


Nor is it clear whether the FBI’s file will be comprehensive, or 4 
simply a summary index that refers inquirers to the state files. The 4 
FBI has stated that it plans to maintain complete files only on 
offenders who have been arrested in more than one state, main- i 
taining “summary files” on offenders who have been arrested q 
within a single state only. State control centers will be able to add 4 
or remove information from the national file. However, for those 1 
states that have not yet built a central computerized information § 
file, the FBI is presently maintaining complete offender files in 4 
both situations. The fact that the agency is presently maintaining é 
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3 complete files for all states makes is doubtful that they will sub- 
1 sequently abandon those files.?° 

4 The kinds of information to be stored in the data file and the 
«. conditions of participation in the system are not defined by statute 
or by formal regulations. The only standards regulating the system 
are those set forth in the NCIC Advisory Board policy paper.?? 
F Each state seeking to participate in the system must sign a contract 
with the director of the FBI, agreeing to abide by the terms of the 
policy paper and by any “‘rules, policies and procedures hereinafter 
adopted by NCIC.” The contracting state must also agree to 
indemnify the federal agency against any legal claims arising out of 
the operation of the information system. The FBI claims that the 
majority of the states—“‘all but three or four,” according to Daunt 
“and those have technical not substantive problems with the 
system”’—have signed the contract and thereby accepted the terms 
of the policy paper. 

The NCIC standards are substantially less rigorous than those 
developed by LEAA’s Project SEARCH, and in many instances 
their adoption was met by vigorous objections from LEAA, the 
sah [state planning agencies] and the Project SEARCH partici- 
pants. 

Under the NCIC policies, the national file is restricted to data on 
“serious and other significant violations.” This is defined by 
exclusion: 


Excluded from the national index will be juvenile offenders 
as defined by state law (unless the juvenile is tried in court as 


a The basic policies developed for the FBI system by the NCIC Advisory Policy Board 
hh the developed system, single state records will become an abbreviated 
criminal history record in the national index with switching capability for the states 
to obtain the detailed record. Such an abbreviated record should contain sufficient 
+. data to satisfy most inquiry needs, i.e., identification segment, originating agency 
charge data, disposition of each criterion offense and current status. This will 
substantially reduce storage costs and.eliminate additional duplication. 
as The NCIC Policy Paper, supra n. 13. The board is appointed by and serves at the 
etion of the director of the FBI. Its members are individuals responsible for the 
administration of state information systems or state or local terminals on the NCIC 
system, Recently, procedures were introducted for electing board members from among 
icipating state officials. It does not include constitutional lawyers, computer experts 
other nonlaw enforcement representatives, 


2 
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an adult); charges of drunkeness and/or vagrancy; certain 
public order offenses, i.e., disturbing the peace, curfew viola- 
tions, loitering, false fire alarm; traffic violations (except data 
will be stored on arrests for man-slaughter, driving under the 
influence of drugs or alcohol, and “hit and run’’); and non- 
specific charges of suspicion or investigation. ? 


Narcotic or mental commitment records will be maintained if they 
are part of the criminal justice process. Domestic crimes such as 
nonsupport or adultery and victimless crimes such as homo- 
sexuality, gambling and others are considered “serious” in some 
jurisdictions.? * Moreover, any state or locality may store additional 
information in its own files, which can be disseminated upon re- 
quests referred to the state or local police department by the cen- 
tral index.24 Besides the criminal record data on serious offenders, 
the Justice Department has asserted an absolute right to keep 
records on persons who are “‘violence prone” and other “persons of 
interest’’ for national security reasons. 

Contributions to each individual file depend on participating 
state and local agencies. According to the NCIC policy paper, each 
file is supposed to show arrests, charges, the disposition of each 
case, sentencing details and custody and supervision status, but 
experience indicates that agencies contributing to the files rarely 
remove arrests records that do not lead to convictions? * and often 


22 NCIC Policy Paper, supran.18  p. il. 


23HR 1, the welfare reform proposal which was extensively revised by the Senate 
Committee before the 92nd Congress adjourned, would make nonsupport a 
tant U.S. attorney in every judicial district to 
elfare. This new crime 


re that personal data files on welfare recipients will be mingled with the files on - 


Finance 
federal crime and place a special assis 
prosecute violators whose desertion caused their families to go on Ww’ 


would assu 
criminal offenders. 


244 number of jurisdictions maintain harmful, jrrelevant data. The Kansas City, Mo., 
ing categories of information in its 


ALERT System, for example, includes the followin 


computerized Warrant/Want Real Time Files: “local and national intelligence on parole 4 
status; active adult and juvenile arrest records with abstract data, area dignitaries; persons “4 


with a history of mental disturbance; persons known to have confronted or opposed law 
college students known to have 4 


” (Statement of Sen. 
Charles Mathias, March 9, 1971, Senate Constitutional Rights Subcommittee Hearings, p. ¥ 


enforcement personnel in the performance of their duty; 
participated in disturbances primarily on college campus areas. 


576.) 


25 The inclusion of arrest records that do not lead to conviction is particularly onerous. ‘4 
In 20 to 30 percent of arrests, the police do not bring charges for a variety of reasons 
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F include damaging extenuating information. Personal identification 


P information such as name, age, sex and physical description are 


- included as well as FBI numbers, state numbers, social security 
' numbers, date and place of birth and other miscellaneous numbers. 
At least one criminal fingerprint card is filed in the FBI identifica- 
tion division “to support the computerized criminal history record 
in the national index.’’ ® 

No federal law or regulation calls for deletion of outdated 
records. The NCIC policy paper states: ‘‘Each control terminal 
agency shall follow the law or practice of the state. . .with respect 
to purging/expunging of data entered by that agency in the 
nationally stored data’’ (p. 12). Most states have no purging require- 
ments at present. The policy paper endorses the concept of state 


* and federal penalties for misuse of the data,?7 and suggests that the 


individual be given the right to see and correct his file, but makes 
no specific recommendations. Experience at the state and local 


"levels indicates that it is extremely difficult for an individual to 


correct an erroneous or incomplete file without resorting to lengthy 
court proceedings. 
a The major deficiency in the guidelines and the system as a whole 
is the absence of proper controls on access to the data contained in 
the files. The policy paper states that access will be provided 
primarily to criminal justice agencies in the discharge of their 
official responsibilities. In addition, ‘‘agencies at all governmental 


“levels which have as a principal function the collection and pro- 


vision of fingerprint identification information” will have access, as 
will all those agencies that presently use NCIC. This means that the 
files will still be used for clearing Federal employees and the 


including mistaken identification, lack of evidence, etc, Yet only eight states have statutes 
* providing for expungement of such records. And of the eight, only one allows 
expungement of arrest records for an individual who has had a previous conviction. 


26NCIC Policy Paper, supra n. 13. 


bik At present the only penalty for misuse of data maintained in the NCIC system is the 
F- provision in 28 USC §534 allowing the FBI to withdraw the privilege of participating in 
the exchange system from an agency that fails to abide by NCIC standards, As the exercise 
f that sanction means that the agency would also cease contributing data to NCIC, the 
vision has been invoked rarely, 18 USC § 1905 provides weak criminal sanctions for the 
3 ae of confidential financial information by federat officials, It would not extend to 

e state participants in the NCIC system, and it protects only white-collar criminals 
whose offenses involve financial misdealings. 
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employees of Federal contractors,?® and the information will be 
shared with federally insured banks, hospitals, insurance companies, 


etc.?° 
At the stage level, the NYSIIS experience suggests that a wide 


range of state agencies and some private firms will have access to 
the files for clearing potential employees or licensees.3° The guide- 
lines provide that state agencies (except for criminal justice 
agencies) cannot use the data in connection with licensing or state 
and local employment, unless “‘legislative action at the state and 
federal level or Attorney General Regulations” provide otherwise. 
But, as the New York experience shows, a number of states already 
have clearance authorization laws, and, since Congress has 
authorized the sharing of identification information with such 
states—with the approval of the Attorney General—the exclusion 
promises to be of limited value. (The Attorney General has never 
withheld approval from a state agency seeking access.) Even if 
approval or clearance should be denied, local policy will inevitably 
determine the terms of access because the NCIC system lacks 
adequate sanctions to apply to nonconforming states. At least one 
state, Iowa, is considering making the information available to any- 


one willing to pay for it.?? 


28 Federal contractors such as Lockheed Aircraft have in the past obtained such 
records from the federal departments with which they do business. 

29Qi Dec. 3, 1971, Congress approved, as part of the fiscal 1972 FBI appropriation, 
the following blanket authorization for the distribution of FBI data: 

The funds provided in the Department of Justice Appropriations Act, 1972 for 
Salaries and Expenses, Federal Bureau of Investigation, may be used, in addition to 
those uses authorized thereunder, for the exchange of identification records with 
officials of federally chartered or insured banking institutions to promote or 
maintain the security of those institutions, and, if authorized by state statute and 
approved by the Attorney General, to officials of state and local governments for 
purposes of employment and licensing, any such exchange to be made only for the 

official use of any such official and subject to the same restriction with respect to 
dissemination as that provided for under the aforementioned Act. (Congressional 
Record, Dec. 3, 1971, S 20461.) 
In 1972 a proposal was submitted to Congress to reverse the 1971 action. At the time of 
this report that proposal, an amendment to the pending Justice Department appropriation 
pill, was before a House-Senate Conference Committee. In the meantime the Justice 
Department (through Sen. Hruska) introduced S 3834 (HR 15929) to assure the broad 
availability of FBI records. 
3See letter from Aryeh 
Union, to Sen. Sam J. Ervin (D 
Subcommittee on Constitutional Rights), listing 
31 Des Moines Sunday Register, July 2, 1972, p. 3A. 


Neier, executive director of the American Civil Liberties 
-N.C.), March 23, 1971 (copy on file with the Senate 


state agencies with access to NYSIIS files. 


Computerized Criminal Information Systems 237 


The looseness of the access provisions becomes more ominous in 
view of the parallel rapid growth of law enforcement intelligence 
files containing sensitive and unsubstantiated information.*? In 
addition, the provisions virtually invite linkages with information 
files maintained by public and private agencies. LEAA is presently 
cooperating with HUD and several other federal agencies to fund 
experimental programs in six cities?* that will provide city 
managers or mayors with “integrated municipal information 
systems” (IMIS) for management purposes. The IMIS is being pro- 
moted by the National League of Cities as a “significantly new 
approach to the process of local government itself,” one “‘that will 
require a degree of commitment and level of expenditure by 
municipalities which has never before been associated with com- 
puter-based systems.” The new systems will eventually include data 
from all urban service departments—police, welfare, schools, etc.—as 
well as underlying demographic and other facts that could be isenul 
in making urban management decisions. The enlarged, organized 
data base supposedly will point to new relationships among urban 
problems, and consequently will improve policy-making. 

The IMIS could present serious problems;...As Robert Knisel 
the director of the program, has written: 7 


If vital statistics, and school, employment and criminal 
Justice records can be pulled together on a named individual at 
will, a child’s teachers may find out he is illegitimate, his poor 
grades may keep him from getting a job, his lack of a job may 


"32We have alread F 

ee paaeens pointed out that LEAA is funding regional and state intelligence 
iar ens oe ee and analy sis of data on organized crime, as well as state and 
ae ae - ering systems on civil disorders and militants and other noncon- 
ee : of the difficulty of standardizing intelligence information, it is unlikely 
ii erstate computer exchange of such data will be realized, at least for some time. 
aR a - data are centralized at the state level under the auspices of the agency 
hers s A tears the central criminal information files, it becomes accessible to 
sor Sa a reat who will be directed to the state of record through the 
ae es : . Attorney General has the power under the present statutory 
See ine federal investigative and intelligence files with the NCIC criminal 


33 ee 

ae ee ies cities are: Dayton, St. Paul, Long Beach, Calif., Reading, Pa., Charlotte 

- "> and ichita Falls, Tex. Other jurisdictions are combining criminal justice computer 
a with information from other public agencies on their own. 
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jead to crime and his criminal justice records may keep him 
permanently unemployed.*4 


Although Knisely sees certain potential benefits in the program, 
he concludes that they are overbalanced by the likelihood that 
neither the courts nor the legislatures will exert adequate control 
over the emerging technology. In any event, the possibility that 
criminal information files will become a part of a larger citywide 
integrated information system is a real one. In California, lowa and 
other jurisdictions, data from a variety of social service agencies are 
already being combined in a single administrative unit that is also 
responsible for criminal justice data.** 

Beyond IMIS, which is a deliberate, small-scale experiment, it is 
likely that private and public decision-makers will step up their 
generalized demands for whatever data are available on the individ- 
uals with whom they are concerned.?® Senator Sam Ervin (D-N.C.) 
has described the problem this way: 


‘Interrelationship’ is the key word here. Once the cor- 
relating process begins on individual personal data in the many 
files of government, all the weaknesses and limitations of the 
computer as a machine will be operating on a grand scale to 
make possible a massive invasion of the privacy of millions, 
and it raises the spectre of a possible program of routine denial 
of due process. Interagency, inter-business networks are being 
established of computers that talk only to each other . 
Decisions affecting a person’s job, retirement benefits, security 
clearance, credit rating or many other rights may be made 
without benefit of a hearing or confrontation of the evidence. 


34Knisely, Robert A., ‘The Fruit of the Tree of Knowledge—Privacy Problems in 
Integrated Municipal Information Systems,” Dec. 7, 1971, p. 7. 

35jowa’s TRACIS (Traffic Records and Criminal Justice Information System), for 
example, will connect with the state’s Department of Public Instruction, the Department 
of Social Services and others. And the California CLETS system. . . will be able to relate 
to records from the public schools. 

36In recognition of this growing tendency and the immense data files available through 
his department, particularly those tied into social security numbers (as is the NCIC 
system), HEW Secretary Elliot L. Richardson has appointed an Advisory Committee on 
Automated Personal Data Systems to develop safeguards to “protect against potentially 
harmful consequences to privacy and due process.” (See “Charter of the Secretary’s 
Advisory Committee on Automated Personal Data Systems,” Feb. 27, 1972.) 
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The computer reduces his opportunity to talk back to the 
bureaucrats. It removes his chances to produce documents, 
photographs or other evidence to alter a decision.37 


The problem of potential linkages between criminal justice 
systems and other governmental files on individuals has been 
centered in a debate that has plagued the new system since its 
inception. The NCIC guidelines initially required participating states 
to utilize computers “dedicated” to law enforcement uses only and 
managed by law enforcement personnel. Many of the states have 
opposed this policy on the grounds that dedicated computers cost 
more and, in some cases, that state law requires that all computer 
systems be centralized under the control of the governor.?® 
According to Donald Roderick, Jerome Daunt’s successor, the FBI 
will now permit each state to set its own rules in accordance with 
existing provisions for statewide computer administration. If a 
decision is reached to use a non-dedicated computer, however, that 
state must make a showing that the criminal justice data are under 
the control of law enforcement officials. 


The Need for New Legislation 


Neither the FBI nor LEAA, the two agencies of the Justice 
Department with the resources or powers to impose regulatory con- 
trols, has developed adequate safeguards for the fastgrowing com- 
puter files on criminal offenders. The NCIC guidelines are in- 
adequate. As we have indicated, most of them are nonspecific, 
relying on state statutes to spell out specific protections. Since most 
of the states have no regulatory legislation on the books and the 
few laws that have been passed are inadequate, the system affords 


*7“The Computer and Individual Privacy,” address of Sen, Sam J. Ervin (D-N.C.) to 
the American Management Association, March 6, 1967. on 

>8 Jerris Leonard sided with the states saying, ““As long as I am here, we are going to 
carry out the philosophy of this administration and that is the states will decide what they 
need. : If the FBI doesn’t want to provide the service, we'll find someone else.” 
(Washington Evening Star, Jan. 22, 1972). In addition the National Association for State 
etna Systems formally protested the dedication Tequirement to Attorney General 

chell, 
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little protection against abuse. Further, the enforcement of the few 
NCIC standards that are binding depends exclusively on the FBI’s 
willingness to exclude a noncomplying state from the system. This 
ultimate sanction has never been invoked. 

Project SEARCH developed more comprehensive privacy and 
operational guidelines,** but these guidelines are advisory only, and 
not legally binding on the states. LEAA has been unwilling to 
impose the SEARCH standards as a condition of its grants. It has 
simply suggested that states contemplating the purchase of infor- 
mation systems with LEAA money “ensure that adequate pro- 
visions are made for system security, for protection of individual 
privacy and the insurance of the integrity and accuracy of the data 
collection.” 

Congress anticipated the need for regulation of the growing law 
enforcement information network in 1970 and added an amend- 
ment to the Safe Streets Act requiring LEAA to submit legislation 
by May 1, 1971, to ensure: 


The integrity and accuracy of criminal justice data col- 
lection, processing and dissemination systems funded in whole 
or in part by the federal government, and protecting the con- 
stitutional rights of all persons covered or affected by such 


systems. 


On Sept. 20, 1971, Senator Roman Hruska (R-Neb.) introduced 
S 2546, “The Criminal Justice Information Systems Security and 
Privacy Act of 1971,” on behalf of the Administration. The bill 
essentially would codify the standards established by the NCIC 
policy board and give the Attorney General the authority to alter 
the scope of the national system as he deems necessary. The bill, 
which has been severely criticized for failing to provide adequate 
protection against misuse of data, was never assigned to an 
appropriate subcommittee for hearings. 

In addition in 1970 Congress mandated the creation of a 
National Commission on Individual Rights to study, among other 
things, the impact “of the accumulation by law or required by 


39See Technical Report No. 2, July 1970, “Security and Privacy Considerations in 
Criminal History Information Systems,” prepared by the Project SEARCH Committee 
Security and Privacy. The committee has also prepared a model state statute and model 
regulations for the governance of state information systems. These have been introduced 


but not acted upon in several state legislations. 
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executive action” and to determine which practices “‘are effective 
and whether they infringe upon the individual rights of the people 
of the United States.” (Title XII, The Organized Crime Control Act 
of 1970.) This provision has never been implemented. 

There are serious questions whether the state and national com- 
puterized files are necessary, whether they are worth their cost 
both social and financial, and whether they work. Perhaps with 
more experience the FBI or LEAA will develop a convincing case 
concerning the manner in which the computerized information 
systems have developed. However, the Justice Department has not 
yet confronted the very real problems that the new NCIC system is 
creating, particularly in regard to governmental overreaching, in- 
vasions of privacy and infringement of basic constitutional rights. 

Underlying the deficiencies of the new NCIC criminal offender 
records system is the vagueness of the legislation under which it 
operates. 28 USC $534 enables the Attorney General to set up (and 
alter) a system to “acquire, collect, classify and preserve identifica- 
tion, criminal identification, crime and other records.”’ and to ‘‘ex- 
change these records with, and for the official use of, authorized 
officials of the federal government, the states, cities and penal and 
other institutions,” (Emphasis added.) The statute contains no stan- 
dards; and despite the fact that the Attorney General has full power 
to do So, no regulations have ever been issued to govern the in- 
formation System except to delegate the Attorney General’s admin- 
istrative authority to the FBI (28 CFR § 0.85), 

In addition to the question of the Justice Department’s statutory 
power, several aspects of the system as it is presently administered 
false important constitutional questions. To include information 
unrelated to criminal convictions in the state files (and by auto- 
matic referral in the national file) may well violate the First Amend- 
ment and the due process and equal protection clauses of the 
United States Constitution. 

For example, On numerous Occasions the Supreme Court has held 
or indicated that the Fifth and Fourteenth Amendments’ guarantee 
of due process protects individuals from injury caused by public 
bodies acting without giving the individual the opportunity to chal- 
lenge or clarify the factual assumptions on which the agency is 
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operating.*° The protection against arbitrary action and the right 
to be heard apply even when the activities involved do not entail 
direct civil or criminal penalties, and extend to the circulation by 
the government of prejudicial information. 

In Joint Anti-Fascist Refugee Committee v. McGrath,*' the 
Supreme Court confronted a situation remarkedly similar to that 
posed by certain aspects of the present-day Justice Department data 
distribution program. Ruling that the Attorney General must pro- 
vide an opportunity for a hearing before including an organization 
on his subversive list, Justice Felix Frankfurter stated: 


The heart of the matter is that democracy implies respect 
for the elementary rights of men, however suspect or un- 
worthy ; a democratic government must therefore practice fair- 
ness; and fairness can rarely be obtained by secret one-sided 
determination of facts decisive of rights... .No better instru- 
ment has been devised for arriving at truth than to give a 
person in jeopardy of serious loss notice of the case against 
him and opportunity to meet it....The Attorney General is 
certainly not immune from the historic requirements of fair- 
ness merely because he acts, however conscientiously, in the 
name of security. 341 U.S. at 110-114. 

Under the new NCIC system the federal and state agencies which 
disseminate background intelligence information or data pertaining 
to arrests not followed by conviction, without giving the subject the 
chance to clarify or correct his record, could be found: in violation 
of the due process clauses of the Fifth and Fourteenth Amend- 


ments. 


49See, e.g,, Joint Anti-Facist Refugee Committee v. McGrath, 341 U.S. 123 (1951); 
Greene v. McElroy, 360 U.S. 474 (1959). 

*' Supra, n, 40. Although the Attorney General was ordered to institute proper 
procedures before adding an organization to the subversive list, the majority of the Court 
did not join any one opinion. Justice Frankfurter’s constitutional reasoning has become 
the most noted of the opinions entered in that case. In Winsconsin v. Constantineau, 400 
U.S. 433 (1971), the Supreme Court held unconstitutional a Wisconsin statute authorizing 
local authorities to post public notices prohibiting the sale of liquor to persons who drink 
excessively, without affording the interdicted individual a right to challenge the 


determination. 
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It is also quite possible that the NCIC criminal history file 
Violates the equal protection clause, by magnifying the con- 
sequences of present discriminatory police practices. Because the 
data it collects focus on street crimes and offenses that tend to be 
committed by the disadvantaged and minorities, and because of its 
indiscriminate inclusion of data on arrests for ill-defined crimes 
(such as arrests for suspicion) and arrests not followed by charges or 
convictions, the NCIC file reinforces the existing class and racial 
bias of the criminal justice system. Arrests for “suspicion” or 

Investigation,” for vagrancy and other vague crimes, constitute a 
major form of police discrimination against blacks and Chicanos. 
Keeping permanent computerized files of such arrests (and in some 
cases convictions) adds another layer of discrimination to the 
criminal justice system, encouraging surveillance, the imposition of 
stiffer penalties, etc., on minorities. When such records are made 
available to employers, discrimination in the hiring process is 
compounded. (See Gregory v. Litton Systems. en? 


CONCLUSIONS AND RECOMMENDA TIONS 


LEAA is investing substantially in the creation of a national 
computerized criminal offender information file serving state and 
local contributors and users. The files at present contain too much 
information and are accessible to too many agencies, including 
private business concerns. Few safeguards protect legitimate rights 
of Personal privacy or prevent use of the information in a 
discriminatory manner. Standing alone, the new information 
systems require immediate and comprehensive regulations and 
controls. The potential harm that they could inflict, however, is 


es 
42ar 
a 316 F. Supp. 461 (C.D. Calif. 1970). The President’s Commission on Federal 
tatistics, Vol. H (1971), Pp. 546, reported: “An applicant who lists a previous arrest faces 
. best a ‘second trial’ in which, without procedural safeguards, he must prove his 
hoe been ti arrest disqualifies him per se, The arrest record is the 
fa us degradation ceremonies’ i iminal la ie 
Commission pointed to the fact that in a recent mired of 30 utes Leuba lites 
that have not led to convictions, “The ‘criminal record’ in these 39 countries includes only 
convictions, and often only those for serious crimes.” {p. 548) For a detailed treatment of 
the problems inherent in the broad dissemination of arrest Tecords, see Security and 
Privacy of Criminal Arrest Records, Hearings before Subcommittee No. 4 of the House 
Committee on the Judiciary, 92nd Congress, 2nd Session (April 1972), 


244 RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS 


made even more critical by (a) the coincident development of new 
state-level intelligence files on civil disorders and dangerous persons 
that are maintained by the same agencies that administer the 
information files and that are accessible to participants in the 
national system, and (b) the rapid expansion of computerized 
records on individuals maintained by welfare, health, education and 
other public and private agencies that can be (and have been) 
readily interfaced with the criminal offender files. To ensure 
integrity and fairness of such systems: 

No further federal funds should be distributed for the operation, 
expansion or development of state and/or national information 
systems prior to the completion of a study by a neutral and 
reputable scientific body—such as the National Academy of 
Sciences or the National Commission on Individual Rights—setting 
forth the policy options facing the nation in regard to such systems. 
In particular, the study should examine: the necessity for various 
possible kinds of information (and intelligence) systems to effective 
law enforcement; the most appropriate structure(s) for such 
systems (centralized, decentralized, state controlled, law enforce- 
ment controlled, etc.); the kinds of safeguards that can and should 
be built into such systems; the relationship of the data banks 
developed under such systems to other data banks; and the proper 
forms for public regulation of such systems. 

If a national or multi-state criminal justice information system is 
found to be justified after the full report by the independent body, 
federal legislation should be passed creating an affirmative right to 
privacy, which would require the government to justify in.advance 
any activity that would conflict with that right. In addition, 
regulatory laws should be passed to control all information systems 
(1) developed and maintained by agencies of the federal govern- 
ment, (2) operated by state or local agencies but supported wholly 
or partly by federal funds and (3) interfacing with federal systems 
or federally supported systems. (If such legislation is not passed, the 
Attorney General should issue formal regulations under his present 
powers. } Among the kinds of safeguards that should be considered 
for inclusion in the legislation are the following: 


« The legislation should spell out with specificity (rather 
than defining by exclusion) the scope of the criminal 
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history offender files and the matter to be included therein. 
Only serious crimes that pose actual danger to the public 
and are likely to involve interstate mobility should be 
included.*° The national file should contain only identi- 
fying data, records of active arrests, convictions and 
sentencing and an identification of the state agency main- 
taining the full records, Records of arrests not followed by 
indictment or information within one year, or conviction 
within two years, should be deleted from the files. When a 
criminal law is repealed, the record of prior violations of it 
should be deleted from the computer. An affirmative 
obligation should be placed on all participating states to 
delete such information from their own files as well as the 
FBI files. Failure to do so should result in termination of 
participation in the system and imposition of financial 
penalties. 


e Specific congressional approval should be required for 
any expansion or modification of the initial system, such as 
a decision to interface with other data banks within the 
Justice Department or other federal agencies. 


e The legislation should provide for operation and/or 
monitoring of the national system by an independent 
agency or commission that would conduct audits and 
spot-checks on both the operating agency and the contrib- 
uting agencies, and would report annually (and periodically, 
as requested) to Congress. The commission, which should 
include constitutional lawyers, representatives of citizens’ 
groups and other civilians, would share responsibility with 
the operating agencies for the development of detailed 
guidelines to govern the operation of the system, No state 
should be allowed to participate in the federal system until 
such time as it has passed its own statute reflecting the 
national standards, creating a state monitoring body and 
providing for the protection of individuals whose records 
are included in the system. 
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SRW ee . 
. This would remove most victimless crimes from the file as well as the other petty 
offenses that are most subject to enforcement patterns that are socially discriminatory. 
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e Each individual should be granted the right of access, 
notice and challenge to all information pertaining to him. A 
person should receive notification when his file is opened, 
and upon each entry he should be informed of his right to 
access and challenge. During a challenge, to protect the 
individual from incomplete and inaccurate information, an 
embargo should be placed on use of the information. 


e The legislation itself should establish general standards 
for the operation of the system and should require the 
Attorney General to issue more specific, mandatory regula- 
tions to govern dissemination of the information to criminal 
justice agencies, the courts and corrections institutions 
and other public agencies. The information should be 
graded so that only the summary computer record (not 
access to supplementary state investigative files) will be 
available to certain recipients, such as federal and state 
employers, or courts seeking to determine sentences.** 


A ea 

44The legislation should probably also waive sovereign immunity on behalf ef the 
United States and make them jointly liable with any individual who disseminates 
information to an unauthorized recipient, on a strict liability basis. The law should include 
minimum damage penalties, attorneys’ fees, and a provision for treble damages, the 
individual defendant and the governmental employer shall have the burden of proving 2 
good-faith effort to make sure that the recipient did have authority to request and receive 
the information, in order to escape punitive and treble damages. The same sanctions 
should apply for dissemination of erroneous information. U.S. district courts should be 
given jurisdiction without regard to the amount in controversy. 


APPENDIX F 


Correctionetics: A Blueprint for 1984 


DANIEL H. LUFKIN* 


The American Justice Institute of Sacramento, California 
working under a grant from the National Institute of Mental Health, 
completed in 1972 a six-volume report! of a three-year study of 

the utilization of advanced information system technology as a 
means of improving the correctional decision-making process.” The 
aim of the -study was to design a system to enable managers of 
correctional institutions to make completely objective decisions 
about the treatment and disposition of criminal offenders. The 
study was the work of the Institute’s Correctional Decisions 
Information Project (CDIP), whose epigraph is inscribed on the 
second cover of Volume I of the report: 


“TODAY AN INFORMATION SYSTEM HOLD 
S FOR 
Ce ee BREAKTHROUGH POTENTIAL 
E FOR BIOLOG 
seta hi St ICAL SCIENCES 


It must in no way demean the dedicated and intelligent effort of 


the CDIP staff to point out that any project that aims to create an 
automated personal data system to monitor and control the popula- 


*Staff Consultant to the Committee 


1 : rs : : 
Correctional Decisions Information Project, Correctionetics: Modular Approach to an 


Re aaa Information Syste: (Sacramento, Calif.: American Justice Insti- 
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tion of a prison efficiently necessarily creates a system with all the 
earmarks of the worst surveillance data bank any civil libertarian 
could imagine. CDIP has completed much of the work needed to 
reduce 1984 to practice. Simple substitutions of the words “govern- 
mental” for correctional’ and “citizen” for offender? in the 
following excerpts from the CDIP report transforms serious and 
humane objectives for prisoners into a nightmare for citizens. 


{C/orrectional administrators. . ‘must be able to. . .deter- 
mine the ability of each operational program to assist various 
types of offenders toward correctional goal attainment. Such 
an ability is totally dependent upon information. Thus, 
information is power to withstand - irrational, unjustified 
onslaughts. Information is power to confirm constructive 
policy decisions. information is power to provide leadership 
for a rational approach to an improved correctional process. 


(Vol. 1, pp. 1-2). 

The Correctional Information System portrayed in these 
documents is for that breed of managers which strives for an 
increasingly effective efficient, and responsive approach to 
rational, humane control and reintegration of offenders. Vol. 


1, p. 6) 

The recycling approach, or Correctionetic concept of 
successive approximations to desired goal attainment, is not 
limited to the management of corrections. St applies equally 
well to individual offenders as they strive to achieve their 
objectives on any of a number of dimensions of personal 
adjustments, ¢.g., vocational, marital, leisure time/social, or 
academic. (Vol. 1, p. 7) 

This type of decision-making assistance is possible for cor- 
rectional managers as they perform the following basic 
functions which constitute the management process: 


1, Goal Definition 
2. Planning 


1 Not italicized in original text. 
2Not italicized in original text. 
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3. Operations Control 
4. Achievement Assessment 
5. Effectiveness Evaluation (Vol. 1, p. 8) 


The last paragraph betrays the weakness of the transformation: if 
we assume that the CDIP system could apply as well to a nationAas 
toa prison, we are also assuming that ‘““management” and “govern- 
ment” are interchangeable. In fact, however, the idea of the social 
contract, of authority derived from the consent of the governed 
(rather than from the managed), is precisely what differentiates a 
nation from a prison. 

Valuable as a more thorough exploration of that differentiation 
might be, we shall forego it here in order to concentrate on the 
practicalities of the CDIP approach in the context of a special 
micro-society into which the problems of citizens’ rights and 
privacy do not immediately intrude. Nevertheless, the conditions of 
prisoners and of free citizens are not diametrically opposed: prison 
and 20th-century America are not the end points on any scale of 
social values. Prisoners do have rights and privacy just as ordinary 
citizens have restrictions and intrusions. Correctionetics includes 
data on an offender’s religion and sexual practices, but none on the 
contents of his letters or his conversations with his lawyer. Cor- 
rectionetics is thoroughly benevolent, and efficient benevolence is 
precisely the characteristic that seems to lie at the root of our 
suspicions of the computerized state. 

At the heart of Correctionetics is the capability for what CDIP 
calls demand reporting: the capability of producing from a gener- 
alized data base a report whose content and structure fit the needs 
of one particular decision. In such a system, the capability of 
generating routine reports with fixed content is implicit. In the 
correctional context, for example, the manager may request a 
report listing the total number and names of offenders in a partic- 
ular institution who have been convicted of a certain crime, who 
have served their minimum sentence, are in a given range of age and 
who have a particular occupation or skill. Such a report would 
simplify matching offenders eligible for release with known job 
possibilities outside. In the civil context, a demand request might be 
for a list of the blond males in their late thirties who drive blue 
Pontiacs with the last license digit of seven. The motive of the 
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request is not the offer of a job, but rather the search for a bank 
robber. 

The capability of a data system to perform such a search clearly 
rests on two features: a comprehensive file of personal character- 
istics, and the logical ability to compare the file contents with the 
terms of the request. Both these capabilities are easy to build into a 
computer system; in theory there is no difficulty at all in setting up 
a system of considerable range and depth. Experience tells us, 
though, that real life consistently falls short of expectations. It is 
instructive to see how this universal principle operates on Cor- 
rectionetics and to extrapolate that knowledge to the real world. 


Offender Data File 


The underlying operating unit of Correctionetics is the offender 
data file (ODF), a record of 369 different facts and opinions about 
the offender. When the CDIP study first began, in July 1969, the 
ODF included only 200 data elements. Let us note for later refer- 
ence that the number of data elements found to be needed nearly 
doubled in about two years of planning and experimental operation 
of the system. The ODF begins with the name (and aliases) of the 
offender, three identification numbers, his date and place of birth, 
his first year of State residence, his ethnic origin, and his religious 
preference. This much information, the offender identification 
block, requires 139 characters of file space as a minimum for each 
offender. (The average offender was found to have 2.6 aliases at 33 
characters per alias, and some had as many as 12.) 

The ODF goes on to record the legal status, the offense history, 
the medical, dental, psychological, psychiatric, academic, voca 
tional, and adjustment histories of the offender, details of his child- 
hood, his family and its economic status, his work history in the 
institution, and his prospects for release and parole. The data are 
grouped into 17 blocks and occupy a minimum file space of 1134 
characters, but the complete ODF would easily fit on a single page 

of typescript, since most of the information is entered in 
form. 

Coding data in order to conserve storage space and to make 


sible a logical search for a known data entity is characteristic of 


pos 
t to which the coding con- 


computer data processing. The exten 


coded - 
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ventions match the underlying structure of the data determines to a 
very great extent the ultimate power of the computer program to 
handle any but the simplest sorting tasks. The coding manual for 
building the ODF provides explicit codes for every coded data ele- 
sie eee computer's perception of the real world takes place 
a earls 2 Hora of the codes (outside of literal data such 
Ais rete oe eee bs structure of the codes and selection of 
sn st be made with the greatest care and fore- 

In the experience of practically every organization that has devel- 
oped a sizable computer data base, one of the greatest expenses in 
the operation comes in converting the data from conventional 
manual to encoded machine-accessible form. Conscientious 
accurate coding demands well-trained, highly motivated clerks whe 
can keep an extensive body of coding rules in mind and apply them 
quickly to an amorphous mass of real-world facts. ‘ 

In the CDIP work, the coding manual is a 200-page volume 
explaining every possible entry in the ODF. The scope and structure 
of the codes themselves have apparently never been tested by pro- 
cessing a large number of actual correctional records, although we 
ci later discuss a greatly restricted pilot program and its results. 
: e coding manual shows the extent to which standardized codes 
or occupations, school subjects, diseases, and similar common data 
entities have already been adopted among independent but parallel 
data-processing organizations. Academic course codes are those of 
the California Department of Education, and include not only 
introduction to data processing (MXA) and computer techniques 
(MXB), but also a very full range of elementary and secondary 
school subjects. The vocational training codes are those used in 
Federal government job classifications. The Federal code is con- 
siderably edited to provide a fuller breakdown of skills important to 
prison operation: laundry workers (36x.xxx), farm workers 
(2xx.xxx), food workers (52x.xxx), mattress inspectors (780.687) 
and the like. (There is no code provision for locksmith.) Medical 
diagnosis and treatment is coded according to the American Medical 
Association’s Standard Nomenclature of Diseases and Operations 
The codes for voluntary and leisure time activities presumably 
reflect the choices available to actual inmates of the California cor- 
rectional system. They include all the familiar sports plus some 
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surprises, such as bicycle racing (103) and golf (111). Special- 
interest groups include aviation (706) and transactional analysis 
(726). That an activity code for the classification of prisoners can 
hold surprises is a good indication that a similar code for the public 
at large would run to many times 200 pages. 


Data for Decision Making 


During the course of the CDIP study, two pilot programs were 
carried out to test the preliminary design of the system and to 
demonstrate the operation of the system before experienced cor- 
rectional managers. The results of those programs are interesting as 
an indicator of the potentials and pitfalls we could expect to meet 
in a large-scale general system. 

In testing some of the preliminary design concepts of the system, 
CDIP planners identified the following factors in decision-making 
processes that use data in the way they can be provided by a large- 
scale computerized system: 


e Decision makers say they need data concerning large 
numbers of variables. 

e Empirical studies indicate that the decision-making 
process actually involves a small number of variables, six or 
eight at the most. 

e The structure of the decision-making process itself and 
the order of presentation of the data both affect the out- 


come. 


These and other more peripheral problems were tested in an 
experimental setting with data records of actual prisoners presented 
to experienced correctional officers in a simulation of computer 
operation. The officers decided on the disposition of three hypo- 
thetical cases: granting a minimum-security custody rating; granting 
a parole after a minimum sentence nad been sctved; and revoking a 
parole after a borderline violation. The type of data, its order of 
selection, and its weight in the ultimate decision were all recorded. 

The detailed analysis of the experiment appears in Appendix D 
of the CDIP report; it is enough here to summarize the findings 
which would have broader applicability to a similar task in a citizen 


data bank. 
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. The decision makers did in fact use an average of only 
eight pieces of data. There were a number of data items 
which were never looked at, even though they had been 
specifically requested in the data bank. 

¢ For the decision on custody rating and granting parole 
the record of the offense itself was the first thing con- 
sidered. For revoking parole, the offense was second. In 
general, purely factual data on the offender’s history vere 
used more than subjective data derived from evaluation of 
the offender by the correctional staff. 

e Deeper statistical analysis of the decision-making process 
revealed no underlying regularities in the way decisions were 
made, which regularities many data-processing specialists 
assume to exist. 


Data for Reports 


In the second pilot test, the capabilities of a computer program 
package much more restricted than the full, planned correctionetics 
system were demonstrated to meetings of senior correctional 
officers at their national conventions. A special 74-item ODF was 
prepared from the conventional records of 5756 offenders in a cross 
section of the institutions of the California Department of Cor- 
fechions, It is worth noting that the project found it necessary to 

embellish” (CDIP’s word) the original data to make them conform 
to the requirements of the demonstration. 

In the first demonstration, at Palm Springs, a computer at Santa 
Monica was loaded with the data base and the demonstration pro- 
grams. The terminal at Palm Springs was connected to the computer 
by telephone. The demonstration programs were relatively simple 
sorting routines which demonstrated how to generate a list of 
offenders to be released in the next month, and then searching the 
ODF for a qualified inmate to take over a clerk’s job vacated by a 
releasee. After the prepared program application was demonstrated 
the spectators were allowed to make up their own queries for the 
data, although it is not clear from the report what these queries 
were or how well that part of the demonstration worked. 

. The second demonstration of the same program package was held 
in Cincinnati. It is a keen comment on the computer specialist’s 
faith in his charges that the CDIP staff took the precaution of 
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punching all the query input on paper tape beforehand, so that a 
keyboard mistake—alas! all too common—would not upset the 
demonstration. The staff also took the precaution of punching the 
computer’s output on paper tape beforehand and taking that tape 
with them to Cincinnati. There, the output could be fed into the 
teletype printer under the control of a foot-switch, thus simulating 
the action of a computer at the other end of the line without 
exposing the demonstration to the dangers of real-life computer 
operation. (It is also a tribute to the candor of the CDIP staff that 
they fully describe this ploy in their report.) The demonstration 
ended with a period of genuine computer operation over the link, 
during which the audience had an opportunity to try the system. 
Typical queries from the experienced correctional officers dealt 
with average time served by offenders in various classifications of 
confinement, profiles of offenders involved in escape attempts, 
juvenile commitment history of selected sets of adult offenders, and 
other similar sorting and listing tasks. 


Correctionetics as a Data Bank 


What does this report about Correctionetics, an automated 
personal data system designed for a prison society with few of the 
traditional concerns for privacy, have to tell us about computers and 
privacy in our own wider society? Are we looking at a worst-case 
microcosm, one from which we can no more extrapolate to our 
present civil society than we can from an anthill!? Even as an antihill 
can teach us something about living beings in general, so can Cor- 
rectionetics teach us something about the intrinsic limitations com- 
puterized personal data systems have, even in the absence of mani- 
fest safeguards for privacy. 

Let us look at some of the features of Correctionetics and com- 
pare them with roughly corresponding features of other personal 
data systems. 


Scope. First, and of fundamental importance, Correctionetics 
stores no more data on an individual prisoner ihan the manual 
system did. In point of fact, it stores less. When the records of the 
sample population were being prepared for the demonstrations, it 
was necessary to omit all but a tiny fraction of the material in the 
prisoners’ record jackets, many of which were half a foot thick. The 
material omitted was that least suited to computer treatment; that 
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is, anecdotal and narrative records, interview reports by psycholo- 
gists, extracts from correspondence, and the like. It is this sort of 
intelligence record that is fundamentally unsuited for computer 
treatment, and which would have the greatest potential for harm to 


privacy if it were to enter the lightly protected files of a computer 
data bank. 


Costs. Second, Correctionetics seems to be so grossly uneconom- 
ical that there would be little incentive to adopt it in a full-scale 
way. As every business comptroller knows, it is almost impossible 
to pr®e out a computer system before it goes into operation, and 
difficult enough even to measure the running operating costs. The 
CDIP report is reticent on costs, but we would estimate the storage 
and processor requirement for an offender population of 50,000 to 
be over 250,000,000 bytes (CDIP Table 5.4.2). Roughly 
corresponding commercial credit experience suggests a cost of 
about $80,000 per month to which staff and overhead costs would 
add about 50 percent to bring the total cost to about $120,000 per 
month. It is hard to see that the advantages of automated prison 
management on the scale suggested by CDIP would be defensible 
unless it could be carried as a partial load on some larger general- 
purpose system. . 


Impact on Decision Making. Third, the impact of Correctionetics 
on the actual process of prison management decision making does 
not seem to be all that striking. It is obvious that the computer has 
no difficulty in finding, for example, the average age of narcotics 
offenders in a particular institution, but one suspects that the 
warden could guess the figure closely enough for practical purposes 
with no aid at all. For particular tasks, such as matching parolees 
with job openings, the services of a computer are well defensible, 
but more economically carried out in a special-purpose system that 
only handles employment data and need not process the excess 
baggage of the rest of the offender data file merely to arrive at a job 
match. This illustrates a point that deserves emphasis again and 
again in designing data-processing systems: a system should be no 
larger than needed to do a particular task. Money spent to provide 
capacity for the possibility of data processing in the abstract, or 
merely to provide “management information” is like wagering at 
unknown odds. A management information program run once or 
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twice a month on a computer system that otherwise earns its keep 
on accounting, payroll, and inventory yields impressive decorations 
for the board room and likely does no harm, But neither does it do 
enough good to deserve a dedicated computer system all to itself. 


Safeguards for Correctionetics 


Finally, we may look at Correctionetics as a test case for the 
application of safeguards. What effects would there be if Correc- 
tionetics gave offenders more control over information about them- 
selves? 

In the Correctionetics system there is no provision for feedback 
from the data subjects. The prison management’s goals are defined 
in terms of data measurements made through the system, and the 
system is then used as the means of bringing operations of the 
prison into conformity with those goals. If a data error creeps in 
from any source, the system can produce a false measurement or a 
false operation or both; without suitable feedback, the false mea- 
surement may well reinforce the false operation instead of cor- 
recting it. 

Let us look at an example as it might actually run through the 
Correctionetics system. Through a coding error, a prisoner’s file is 
changed to show that he is an active homosexual. A status change 
report is automatically generated which removes him from a televi- 
sion repair course (forbidden to sexual offenders) and transfers him 
to a cell in a more secure block (because a profile of such offenders 
shows them to be, on the average, more aggressive than others). 
These two actions confirm the prisoner’s suspicions about the 
prison administration and he fulfills their expectations by actually 
becoming sullen and aggressive, which behavior, in turn, generates 
another automatic transfer order to an “‘adjustment center.” In this 
scenario, and in a hundred others we could imagine, an originally 
minor error in a record has snowballed into serious injustice. 

Giving the prisoner a right to know what information his file 
contains would have had the immediate effect of discovering the 
error, provided he realized that some change in that information 
had taken place. In this case, the change in training status would 
have been an obvious clue to him. A right to secure correction of 
the data would have stopped its propagating in the program and 
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would have prevented or undone the subsequent actions the system 
made on the basis of the error. 

Thus, the possibility of feedback from the data subject to the 
data bank can act as a powerful brake on the freedom of an 
authority to take arbitrary action. It is obvious that this would have 
clear benefit for a person at the bottom of the heap, but we wish to 
point out that it also protects the authority taking action. If we 
make the assumption that administrative injustice will eventually 
come to light and be dealt with through the law, it is very much to 
the benefit of the warden, in our example, to insure that his deci- 
sions are based on the best data he can command. Rules to ensure 
that errors in personal data banks are discovered and corrected 
promptly will go far toward preventing abuse of even so stern a 
system as Correctionetics, 


Computerized Decision Making 


The deeper question of the actions that an automated system 
such as Correctionetics can take on the basis of even perfect data 
also deserves careful consideration. In our example from the actual 
program, a record as a sexual offender was automatically treated as 
sufficient cause to disqualify an inmate from training as a television 
repairman. This is a simple decision to program, and one presum- 
ably based on an actual rule of the California Department of Cor- 
rections. In pre-automation practice, the application of such a rule 
would usually take place in a context such that knowledge of other 
factors in the offender’s record would come to the attention of the 
training officer. He might give the rule only as much weight as he 
thought appropriate in the light of all the factors in an individual 
case, and could certainly at least take initiative to seek occasional 
exceptions from the rule. 

It is precisely that sort of personal initiative which seems to be 
the most strongly appreciated advantage of human over com- 
puterzed administration. Although we have all experienced 
occasions in which a bureaucrat acted like a computer, we also 
recognize those occasions as the exceptions to our usual experience 
with human decision making. 

To be fair, it is possible in theory to program a computer to 
simulate human decision making. In practice, though, it is obvious 
from the Correctionetics experiment that we are far from attaining 
that end. 


Appendix G 


The Law Relating to HEW 
Personal—Data Record Keeping 


Introduction 


The Federal law bearing on collection, storage, handling, dissemi- 
nation, and other use of information about individuals (hereinafter 
often referred to as ‘“‘personal information activities’’) is a large and 
varied assortment of statutes, regulations, Executive orders, and 
other directives. Little of this law applies generally to all agencies of 
the Federal government, and still less has general application to 
personal information activities of organizations outside the Federal 
government. 

This paper discusses the law that governs the behavior of the 
Department of Health, Education, and Welfare’ (hereinafter re- 
ferred to as “the Department” or “HEW”) and its grantees and 
contractors in the conduct of personal information activities. 

Three statutes of general application throughout the Federal 
government are discussed with special reference to their HEW 
effects: the Federal Reports Act, 44 U.S.C. 3501 et seq.; the 
so-called ‘Freedom of Information Act”, 5 U.S.C. 552; and a 


‘The Department comprises a number of organizational components through which its 
operational programs and activities are carried out, viz.: the Public Health Service (PHS), 
consisting of the Food and Drug Administration (FDA), the Health Services and Mental 
Health Administration (HSMHA) and the National Institutes of Health (NIH); the 
Education Division, consisting of the National Institute of Education (NIE) and the Office 


AERA 
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criminal statute forbidding government officers and employees 
from making unauthorized disclosures of information. 18 U.S.C. 
1905. This paper focuses on personal information and does not 
cover the law relating to trade secrets or commercial information. 

The statutory sources of authority relating to HEW’s conduct of 
personal information activities may be categorized as follows: (1) 
broad authority to administer and manage HEW; (2) authority for 
HEW to carry out particular program activities, including research, 
whether conducted by HEW or by others with support from HEW; 
(3) authority for HEW information (or personal information) 
activities; (4) authority (sometimes by Executive order rather than 
by statute) which, though not directly conferring authority on 
HEW, gives rise indirectly to obligations’ imposed on HEW, 
commonly along with other government departments, to obtain, 
provide, and/or report personal information for its own purposes or 
to other government departments or agencies (e.g., Civil Service 
Commission, Internal Revenue Service) to the Congress, or to the 
public. Except in category (3), these sources of authority generally 
make no explicit reference to information (or personal information) 
activities, but it is a reasonable and necessary interpretation of the 
authority to include such activities. 

Sources of authority for HEW’s personal information activities 
are legion, resulting particularly from the necessity of interpreting 
such authority to exist in all statutes concerning program activities 
and research covered by category (2). This paper seeks to present a 
complete compilation of the sources of authority for HEW’s 
personal information activities in categories (1), (3), and (4). With 
tespect to category (2) it discusses only statutes that have special 
significance in relation to personal information activities or contain 
a provision relating specifically to personal information activity. It 
should be noted that in order to perform statutory program duties, 
it is often necessary to conduct personal information activities, 
particularly in programs that provide direct services to individuals, 
for example, the repatriation assistance programs of the Social and 


of ‘Education (OE); the Social and Rehabilitation Service (SRS); the Social Security 


Administration (SSA); and the Office of the Secretary (OS), consisting in part of the 
Office for Civil Rights (OCR), and the Office of Human Development, which includes the 
Administration on Aging (AoA), the Office of Child Development (OCD), and the Office 
of Youth Development (OYD). (Effective July 1, 1973, the operating agency constituents 
of the Public Health Service will be reorganized to consist of the Food Drug 
Administration, the Center for Disease Control, the Health Resources Administration, the 
Health Services Administration, and the National Institutes of Health.) 
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Rehabilitation Service, 24 U.S.C. 321-29, and section 1113 of the 
Social Security Act, 42 U.S.C. 1313. In addition, authorized 
research activities, for example in the health fields, frequently 
require extensive information about individuals. Examples of 
authority for the “‘conduct and support” of research activities 
include the statutes authorizing the research institutes of the 
National Institutes of Health. Public Health Service Act sections 
402 (Cancer, 42 U.S.C. 282), 412 (Heart Diseases, 42 U.S.C. 287a), 
422 (Dental Diseases, 42 U.S.C. 288a), 431 (Arthritis, Rheumatism, 
and Metabolic Diseases, Neurological Diseases and Stroke, and other 
particular diseases and groups of diseases, 42 U.S.C. 289a), 441 
(Child Health and Human Development, 42 U.S.C. 289d), 442 
(General Medical Sciences, 42 U.S.C. 289e), 451 (Eye Diseases and 
Visual Disorders, 42 U.S.C. 289i). 

Because the statutes deal sparingly with personal information 
activities, one must also turn to regulations that have been issued to 
implement statutes to get a fuller understanding of the authority 
that governs such activities. We have sought to identify and discuss 
the principal regulations that have operational significance for the 
conduct of personal information activities, including all that are 
Departmental in scope (i.e., apply to all operating agencies of the 
Department) and those that apply throughout a particular operating 
agency. Of regulations limited in application to a particular program 
or activity, we have attempted to include only those that contain 
specific provisions about personal information activities. Guidance 
as to HEW personal information activities appears also in program 
materials issued at the operating level which are more detailed than 
statutes or regulations but which may lack the force of law. The 
discussion of such materials in this paper is limited to a few 
examples. 

The law relating to personal information activities carried out in 
connection with HEW personnel administration is treated separ 
ately, because the legal requirements and operational considerations 
involved are distinctive. 


Authority to Collect Information 


GENERAL 


The Department was created by Reorganization Pian No. 1 of 
1953 which became effective on April 11, 1953 (67 Stat. 18) and is 
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recognized as an executive department in 5 U.S.C. 101. The Plan 
provides that the Department shall be administered under the 
supervision and direction of the Secretary. A general grant of power 
enables the Secretary to act as he finds necessary in order to carry 
out his responsibilities in the areas of health, welfare, social 
security, and education. An opinion of the Attorney General, 
discussing general Secretarial powers, emphasized that express 
statutory authority is not required for every administrative act. 28 
Op. Atty. Gen. 549 (January 5, 1911). The Secretary’s responsi- 
bilities are further defined in part in 5 U.S.C. 301 which states: 


The head of an Executive department... may prescribe 
regulations for the government of his department, the 
conduct of its employees, the distribution and performance 
of its business, and the custody, use, and preservation of its 
records, papers, and property. 


See also section 215(b) of the Public Health Service Act, 42 U.S.C. 
216(b), setting forth similar authority to promulgate regulations for 
administration of the Public Health Service, including regulations 
relating to custody, use and preservation of records. 

In addition to the Secretary’s general authority to manage the 
Department, there are numerous specific statutory provisions 
authorizing collection of information by HEW. The authority for 
the conduct of programs characteristically requires that HEW make 
periodic reports on the conduct and status of those programs. In 
addition, where HEW is authorized to contract with or grant money 
to States, localities, and private institutions for the conduct of 
programs, the legislation generally requires them to make periodic 
reports to the Department or its agencies. See, e.g., Elementary and 
Secondary Education Act, section 142(a) (3), 20 U.S.C. 241 f(a) 
(3), (periodic reports to the Commissioner of Education evaluating 
effectiveness of Title I payments). 


EDUCATION 


Perhaps the broadest grant of authority for collection of 
information is the Organic Act of 1867, 14 Stat. 434, which 
established a ‘“‘Department of Education” 


....for the purpose of collecting such statistics and facts as 
shall show the condition and progress of education in the 
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several States and Territories, and of diffusing such informa- 
tion respecting the organization and management of schools 
and school systems, and methods of teaching, as shall aid 
the people of the United States in the establishment and 
maintenance of efficient school systems, and otherwise 
promote the cause of education throughout the country. 
See 20 U.S.C. 1. 


Under more recent education laws the Commissioner of Educa- 
tion is charged specifically with collecting and disseminating 
information. Section 422(a) of the General Education Provisions 
Act provides: 


The Commissioner shall— 

(1) prepare and disseminate to State and local educa- 
tional agencies and institutions information concerning 
applicable programs and cooperate with other Federal 
officials who administer programs affecting education in 
disseminating information concerning such programs; 

(2) inform the public on federally supported education 
programs; 

(3) collect data and information on applicable programs 
for the purpose of obtaining objective measurements of the 
effectiveness of such programs in achieving their purposes; 
and 

(4) prepare and publish an annual report (to be referred 
to as “the Cemmissioner’s annual report’) on (A) the 
condition of education in the nation, (B) developments in 
the administration, utilization, and impact of applicable 
programs, (C) results of investigations and activities by the 
Office of Education, and (D) such facts and recommenda- 
tions as will serve the purpose for which the Office of 
Education is established (as set forth in section 403 of this 
Act). 20 U.S.C. 123 La(a). 


Other provisions relating to collection of information are found 
in section 417 of the General Education Provisions Act, 20 U.S.C. 
1231f, and in section 501 of the Education Professions Develop- 
ment Act, 20 U.S.C. 1091. The former gives the Commissioner 
authority to furnish various information to, and to make special 
statistical compilations and surveys for, State or local officials, 
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private organizations, or individuals. The latter provides for the 
development of “information on the actual needs for educational 
personnel, both present and long range.” 

Although it seems clear that the foregoing provisions regarding 
information activities in the field of education do not contemplate 
the dissemination of identifiable personal information, such infor- 
mation may need to be collected in order to prepare the statistical 
compilation and analyses to be used or disseminated. 


HEALTH 


In defining the general powers and duties of the Secretary in the 
health area, section 301 of the Public Health Service Act states: 

The Secretary shall conduct in the Service, and encourage, 
cooperate with, and render assistance to other appropriate 
public authorities, scientific institutions, and scientists in the 
conduct of, and promote the coordination of, research, 
investigations, experiments, demonstrations, and studies relat- 
ing to the causes, diagnosis, treatment, control, and prevention 
of physical and mental diseases and impairments of man, 
including water purification, sewage treatment, and pollution 
of lakes and streams. In carrying out the foregoing the 
Secretary is authorized to— 


(a) Collect and make available through publications and 
other appropriate means, information as to, and the 
practical application of, such research and other activities; 
42 U.S.C. 241. 


Further authority to collect information in the health field is 
provided in section 305 of the Public Health Service Act which 
authorizes the National Health Surveys and Studies as follows: 


(a) The Secretary is authorized, (1) to make, by sampling 
or other appropriate means, surveys and special studies of the 
population of the United States to determine the extent of 
illness and disability and related information such as: (A) the 
number, age, sex, ability to work or engage in other activities, 
and occupation or activities of persons afflicted with chronic 
or other disease or injury or handicapping condition; (B) the 
type of disease or injury or handicapping condition of each 
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person so afflicted; (C) the length of time that each such 
person has been prevented from carrying on his occupation or 
activities; (D) the amounts and types of services received for or 
because of such conditions; (E) the economic and other 
impacts of such conditions; (F) health care resources; (G) 
environmental and social health hazards; and (H) family 
formation, growth, and dissolution; and (2) in connection 
therewith, to develop and test new or improved methods for 
obtaining current data on illness and disability and related 
information... .42 U.S.C. 242c. 


It should be noted that a provision was added to this paragraph by 
P.L. 91-515 to protect the privacy of persons supplying such 
information. (See discussion at p. 279, below.) 

Section 317 of the Public Health Service Act, 42 U.S.C. 247b, 
authorizes support of communicable disease control programs, and 
calls for reports to the Secretary on communicable disease problems 
by grantees under the program. 

Section 315 of the Public Health Service Act, 42 U.S.C. 247, 
authorizes the issuance of information related to public health. 

Section 313 of the Public Health Service Act, 42 U.S.C. 245, 
directs the Secretary to “‘.... prepare and distribute suitable and 
necessary forms for the collection and compilation of [mortality, 
morbidity, and vital statistics] which shall be published as a part of 
the health reports published by the Secretary.” This section is 
authority for the operations of the National Center for Health 
Statistics of the Health Services and Mental Health Administration. 

In addition there are programs involving health services which 
involve the collection of personal information (e.g., operation of 
Public Health Service hospitals, Public Health Service Act § 321, 42 
U.S.C. 248: narcotics addict care and treatment, Public Health 
Service Act § 341, 42 U.S.C. 257). 

The Secretary is authorized to “conduct examinations and 
investigations for the purposes of . . . [the Federal Food, Drug, and 
Cosmetic] Act....” 21 U.S.C. 372. 

Under the Federal Coal Mine Health and Safety Act of 1969, 30 
U.S.C. 801-960, the Secretary has certain obligations with respect 
to the medical examination of coal miners. Under the Act, coal 
mine operators are obliged to provide miners with chest X-rays in 
accordance with instructions of the Secretary, and to provide the 
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Secretary with the results of the readings of such X-rays. Under the 
Act, the Secretary is obliged to provide the results of such readings 
to the miners involved. Sec. 203(a), 30 U.S.C. 843. There is no 
statutory obligation of confidentiality, but the Secretary’s regula- 
tions for the program require mine operators to give assurance that 
they will not “solicit a physician’s roentgenographic findings” and 
that they have instructed the physicians that duplicate X-rays will 
not be made. 42 C.F.R. 37.4. 


WELFARE 


The authority of the Social Security Administration (SSA) to 
collect information is derived primarily from its duty to carry out 
its program responsibilities. In this regard, Title II of the Social 
Security Act, Federal Old-Age, Survivors, and Disability Insurance 
Benefits (OASDI), provides in part as follows: 


(a) The Secretary shall have full power and authority to 
make rules and regulations and to establish procedures, not 
inconsistent with the provisions of this title, which are 
necessary or appropriate to carry out such provisions, and shall 
adopt reasonable and proper rules and regulations to regulate 
and provide for the nature and extent of the proofs and 
evidence and the method of taking and furnishing the same in 
order to establish the right to benefits hereunder. Sec. 205(a); 
42 U.S.C. 405(a). 


* * + * * * + 


On the basis of information obtained by or submitted to the 
Secretary, and after such verifications therof as he deems 
necessary, the Secretary shall establish and maintain records of 
the amounts of wages paid to, and the amounts of self-em- 
ployment income derived by, each individual and of the 
periods in which such wages were paid and such income was 
derived and, upon request, shall inform any individual or his 
survivor, or the legal representative of such individual or his 
estate, of the amounts of wages and self-employment income 
of such individual and the periods during which such wages 
were paid and such income was derived, as shown by such 
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records at the time of such request. Sec. 205 (c)(2)(A); 42 
U.S.C. 405 (c)(2). 


The Secretary is also authorized to obtain information for the 
purpose of any hearing, investigation or other proceeding author- 
ized or directed under Title II of the Social Security Act or relative 
to any other matter within his jurisdiction thereunder, by use of the 
subpoena power if necessary. Sec. 205(d); 42 U.S.C. 405(d). 

Section 218(e) (1)(B) of the Social Security Act, 42 U.S.C. 
418(e) (1)(B), authorizes the Secretary to issue regulations prescrib- 
ing reports by States under agreements extending OASDI coverage 
to State and local government employees. 

Title XVIII of the Social Security Act, Health Insurance for the 
Aged (Medicare), authorizes the use of intermediaries and carriers 
for the administration of benefits and specifies that each contract 
shall provide that the intermediary or carrier shall furnish to the 
Secretary information it obtains in performing its functions and 
shall maintain records supporting such information § 1816(b)(2), 
42 U.S.C. 1395h(b)(2), and § 1842(b)(3)(D) and (E), 42 U.S.C. 
1395u(b\(3)(D) and (E). In addition, the Secretary is authorized to 
secure information “‘as may be necessary in the carrying out of his 
functions. ..”” and directed to carry on studies relating to health 
care of the aged and to the operation and administration of the 
hospital and supplementary medical insurance programs for the 
aged. § § 1874 and 1875, 42 U.S.C. 1395kk and 139511. 

The collection of information by SSA is closely related to some 
Internal Revenue Service activities and there is interchange of 
information between the agencies. See 20 C.F.R. 401.3 (d). Internal 
Revenue Act provisions and the regulations thereunder provide 


that: 


Every person liable for any tax imposed by this title, or for the 
collection thereof, shall keep such records, render such 
statements, make such returns, and comply with such rules 
and regulations as the Secretary [of the Treasury] or his 
delegate may from time to time prescribe. Whenever in the 
judgment of the Secretary or his delegate it is necessary, he 
may require any person, by notice served upon such person or 
by regulations, to make such returns, render such statements, 
or keep such records, as the Secretary or his delegate deems 
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sufficient to show whether or not such person is liable for tax 
under this title. 26 U.S.C. 6001; Sec 26'C.F.R. 1.6001-1. 


When required by regulations prescribed by the Secretary [of 
the Treasury] or his delegate any person made liable for any 
tax imposed by this title, or for the collection thereof, shall 
make a return or statement according to the forms and 
regulations prescribed by the Secretary or his delegate. Every 
person required to make a return or statement shall include 
therein the information required by such forms or regulations. 
26 U.S.C. 601 1(a); See 26 C.F.R. 1.6011-1. 


The Administration on Aging has the “duty and function” to 


(1) serve as a clearinghouse for information related to 
problems of the aged and aging; 


% * * * * * * 


(4) develop plans, conduct, and arrange for research in the 
field of aging .... 


* * * & * & # 


(6) prepare, publish, and disseminate educational materials 
dealing with the welfare of older persons; 


(7) gather statistics in the field of aging which other 
Federal agencies are not collecting; .... Older Americans Act 
of 1965, § 202. 


There is also the requirement, similar to that under Titles I, IV, 
X, XIV, XVI, and XIX of the Social Security Act (see p. 268, 
below), that a State agency administering a State plan program 
under the Older Americans Act will make reports to the Commis- 
sioner on Aging, “... in such form and containing such informa- 
tion, as the Commissioner may from time to time require.” Older 
Americans Act of 1965, § 305(a)(3). 

Information and reports authority also exists in the area of 
juvenile delinquency prevention and control. The Secretary is 
directed to “collect, evaluate, publish, and disseminate information 
and materials relating to research and programs and projects...” 
in the juvenile delinquency field. Juvenile Delinquency Prevention 
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Act, § 303, 42 U.S.C. 3873. Provision is made for continuing 
evaluation of programs and activities under the Act, which 
evaluations ‘‘shall include comparisons with proper control groups 
composed of persons who have not participated in programs” under 
the Act. Title IV, 8405, 42 U.S.C. 3885. The Act also requires an 
annual report to Congress on Juvenile delinquency activities 
including, among other things, 


the number and types of training projects, number of persons 
trained and in training, and job placement and other follow-up 
information on trainees and former trainees.... Title IV, 
§ 409, 42 U.S.C. 3889. 


Each title of the Social Security Act authorizing a public 
assistance program contains a clause that the State plan for the 
program must 


provide that the State agency will make such reports, in such 
form and containing such information, as the Secretary may 
from time to time require, and comply with such provisions as 
the Secretary may from time to time find necessary to assure 
the correctness and verification of such reports; Title I, Old 
Age Assistance and Medical Assistance for the Aged, § 2(a)(6), 
42 U.S.C. 302(a)(6); Title IV, Aid to Families with Dependent 
Children, § 402(a)(6), 42 U.S.C. 602(a)(6); Title X, Aid to the 
Blind, § 1002(a)(6), 42 U.S.C. 1202(a)(b); Title XIV, Aid to 
the Permanently and TotallyDisabled, §1402(a)(6), 42 U.S.C. 
1202(a)(6); Title XVI, Aid to the Aged, Blind, or Disabled, 
and Medical Assistance for the Aged, § 1602(a)(6), 42 U.S.C. 
1382(a)(6); Title XIX, Medical Assistance (Medicaid), § 
1902(a)(6), 42 U.S.C. 1396(a)(6). 


There is a specific reporting requirement in section 402(a)(21) of 
the Social Security Act, 42 U.S.C. 602(a}(21), that the States send 
to the Secretary the names and social security numbers of parents 
who have a court-ordered obligation to support AFDC recipients, 
but who cannot be found. Under § 410 of the Act, 42 U.S.C. 610, 
the Secretary is to consult the Secretary of the Treasury to see if 
such parents can be located through Internal Revenue Service files. 

Another authorization to collect information is found in the 
legislation establishing the Children’s Bureau (a unit now placed in 
the Office of Child Development), which is charged with “investi- 
gating and report{ing] to the Secretary...upon all matters 
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pertaining to the welfare of children ” Act of April 9 
shies piolZ. 
ch. 73 sec.2, 37 Stat. 79, 42 U.S.C. 192. i 


OFFICE FOR CIVIL RIGHTS 


Executive Order 11246 (3 CF.R. 342 (1964-65 Comp.), Sept 
24, 1965), which prohibited discrimination in employment erat 
tices by Federal contractors and subcontractors, provides that in 
every Government contract, in addition to the nondiscrimination 
clauses, the following clause shall be included: 


(5) The contractor will furnish all information and reports 
required by Executive Order No. 11246 of September 24 
1965, and by the tules, regulations, and orders of the 
Secretary of Labor, or pursuant thereto, and will permit access 
to his books, records, and accounts by the contracting agency 
and the Secretary of Labor for purposes of investigation to 
a compliance with such rules, regulations, and orders. 


In HEW, compliance with the Executive order is handled by the 
Office for Civil Rights (OCR). The Executive order provides that 


Each contracting agency shall be primarily responsible for 
obtaining compliance with the tules, regulations, and orders of 
the Secretary of Labor with Tespect to contracts entered into 
by such agency or its contractors. § 205, 


In addition, a section of the regulations issued by the Secretary 
of Labor pursuant to the Executive order provides that 


The head of each agency shall, subject to the prior approval of 
the Director [of the Office of Federal Contract Compliance] , 
establish a program and promulgate procedures to carry out 
the agency’s responsibilities for obtaining compliance with the 
order and regulations and orders issued pursuant thereto. 41 
C.F.R. 60-1.6(b). 


The Director of the Office of Federal Contract Compliance is 
further authorized to redelegate authority given to him. Such 
redelegated authority “shall be exercised under [the Director’s] 
general direction and control.” 41 C.F.R. 60-1.46. One further 
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provision upon which OCR jurisdiction is based contains the 
definition of “compliance agency”: 


....the agency designated by the Director on a geographical, 
industry or other basis to conduct compliance reviews and to 
undertake such other responsibilities in connection with the 
administration of the order as the Director may determine to 
be appropriate. 41 C.F.R. 60-1. 3(d). 


This section continues with guidelines for when no such designation 
is made. 

The Department of Labor regulations define the responsibilities 
of OCR for conducting compliance reviews, 41 C.F.R. 60-1.20, and 
complaint investigations. 41 C.F.R. 60-1.24 (b). The regulations 
also require such disclosure to OCR as is necessary to determine 
whether a contractor is complying with the Executive order. 41 
C.F.R. 60-1.7 and 1.43. 

OCR activities also include monitoring compliance with Title VI 
of the Civil Rights Act of 1964 which prohibits discrimination in 
programs and activities receiving Federal financial assistance. Under 
Title VI, Department regulations provide for the submission of 
compliance information to the Department by recipients of 
financial assistance and for access by Department officials to such 
information as is necessary to ascertain compliance with the Act. 45 
C.F.R. 80.6. The regulations also require periodic compliance 
reviews and investigations of specific complaints. 45 C.F.R. 80.7. 


Constraints on the Process of Collecting Information 


Superimposed upon the authority of HEW to collect information 
is the Federal Reports Act, 44 U.S.C. 3501-3511, passed originally 
in 1942 (56 Stat. 1078). Section 3509 states that “A Federal 
agency may not conduct or sponsor the collection of information 
upon identical items, from ten or more persons, other than Federal 
employees, unless, in advance of adoption or revision of any plans 
or forms to be used in the collection—” the Office of Management 
and Budget (OMB) approves the proposed collection of informa- 
tion. 
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The stated purpose of this Act is to minimize both the burden 
upon those required to furnish information and the cost to the 
Government of collection. In addition, the Act provides for 
cooperation among agencies in sharing information. Provisions are 
included relating to unlawful disclosure and confidentiality of 
information. See p.p. 272-273, below. See generally OMB Circular 
No. A-40 Revised, May 3, 1973. 

The Act defines “information” as 


facts obtained or solicited by the use of written report forms, 
application forms, schedules, questionnaires, or other similar 
methods calling either for answers to identical questions from 
ten or more persons other than agencies, instrumentalities, or 
employees of the United States or for answers to questions 
from agencies, instrumentalities, or employees of the United 
States which are to be used for statistical compilations of 
general public interest. 44 U.S.C. 3502. 


Under OMB instructions accompanying the report clearance 
request form (OMB Standard Form 83), one paragraph is specifi- 
cally directed to whether sensitive questions may be included and 
if so, in what form: 


Additional justification must be provided for surveys which 
include questions of a sensitive nature, such as sex behavior 
and attitudes, religious beliefs and other matters which are 
commonly considered private. This should include the reasons 
why the agency considers the questions necessary and the 
specific uses to be made of the data obtained. The explanation 
to be given respondents and any steps to be taken to secure 
their consent (except where response is mandatory) should be 
stated. Describe extent of confidentiality and protection 
provided against disclosure of information from individual 
returns, including arrangements for disposition of completed 
report forms. Instructions, III, A-7. 


Limitations on Storage, and Dissemination of Information 


Limitations on the storage, handling and dissemination of 
information collected by HEW are found in statutes, Depart- 
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mental regulations, Civil Service Commission regulations, man- 
uals, policy statements, contract guidelines and miscellaneous 


memoranda. 


The overall Federal government records management policy is 
set out in 44 U.S.C. 3101 which requires the head of each 


Federal agency to 


....make and preserve records containing adequate and 
proper documentation of the organization, functions, policies, 
decisions, procedures, and essential transactions of the agency 
and designed to furnish the information necessary to protect 
the legal and financial rights of the Government and of persons 
directly affected by the agency’s activities. 


As mentioned in the previous discussion of the Federal Reports 
Act. (pp. 270-271, above) there is a section in that Act discussing 
when information collected under reports approved under the Act 


may be released. 


(a) If information obtained in confidence by a Federal 
agency is released by that agency to another Federal agency, 
all the provisions of law including penalties which relate to the 
unlawful disclosure of information apply to the officers and 
employees of the agency to which information is released to 
the same extent and in the same manner as the provisions 
apply to the officers and employees of the agency which 
originally obtained the information. The officers and em- 
ployees of the agency to which the information is released, in 
addition, shall be subject to the same provisions of law, 
including penalties, relating to the unlawful disclosure of 
information as if the information had been collected directly 
by that agency. 

(b) Information obtained by a Federal agency from a 
person under this chapter may be released to another Federal 
agency only— 

(1) in the form of statistical totals or summaries; or 

(2) if the information as supplied by persons to a Federal 

agency had not, at the time of collection, been declared 

by that agency or by a superior authority to be 
confidential; or 
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(3) when the persons supplying the information consent 
to the telease of it to a second agency by the agency to 
which the information was originally supplied; or 


(4) when the Federal agency to which another Federal 
agency releases the information has authority to collect 
the information itself and the authority is supported by 
legat provision for criminal penalties against persons 
failing to supply the information. 44 U.S.C. 3508. 


Superimposed upon all HEW information disclosure is the Public 
Information Act, 5 U.S.C. 552. This Act (usually known as the 
Freedom of Information Act’’) establishes a formalized declara- 
tion of availability of records and information of all Government 
agencies. The policy of the Act as implemented in the HEW Public 
Information Regulation, 45 C.F.R. Part 5, is ““. . .one of the fullest 
responsible disclosure limited only by the obligations of confiden- 
tiality and the administrative necessities recognized by the Act.” 45 
C.F.R. 5.12. The exemptions from this policy of disclosure which 
are stated in the Act are: 


.. matters that are— 


(1) specifically required by Executive order to be kept 
secret in the interest of the national defense or foreign 
policy; 

(2) related solely to the internal personnel rules and 
practices of an agency; 


(3) specifically exempted from disclosure by statute; 


(4) trade secrets and commercial or financial information 
obtained from a person and privileged or confidential; 


(5) inter-agency or intra-agency memorandums or letters 
which would not be available by law to a party other 
than an agency in litigation with the agency; 


(6) personnel and medical files and similar files the 
disclosure of which would constitute a clearly unwar- 
ranted invasion of personal privacy; 


oe ae ll 
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(7) investigatory files compiled for law enforcement 
purposes except to the extent available by law to a party 


other than an agency; 


(8) contained in or related to examination, operating, or 
condition reports prepared by, on behalf of, or for the 
use of an agency responsible for the regulation or 
supervision of financial institutions; or 


(9) geological and geophysical information and data, 
including maps, concerning wells. 5 U.S.C. 552 (b). 


The HEW Public Information Regulation provides the operating 
requirements for the Public Information Act. Whenever certain 
materials, such as final opinions in the adjudication of cases, which 
are required to be made available under the Act, relate to an 
individual, the name or other identifying details shall be removed 
and the materials shall so indicate, if release of such information 
would constitute a ‘‘clearly unwarranted invasion of privacy.” 45 
C.F.R. 5.16. The exemptions to required disclosure as set out in the 
Act are reiterated in the Regulation with amplification of their 
scope. 45 C.F.R. 5.70 ef.seqg. In addition, Appendix A of the 
Regulation provides examples of exempt materials. Proposed 
amendments to these regulations take account of experience with 
the regulations and court decisions. 38 Fed. Reg. 8273, May 30, 
1973. 

An explicit statutory constraint on disclosure of information 
which is preserved by exemption (3) is found in section 1106(a) of 
the Social Security Act, 42 U.S.C. 1306(a), which prohibits 
disclosure of any personal information obtained by the Department 
in the course of administration of the Act except as specifically 
prescribed in regulations issued by the Secretary. (Criminal penal- 
ties are provided for violation of this provision.) There are two 
carefully delimited statutory exceptions from this general prohib- 
ition on disclosure of information obtained by HEW under the 
Social Security Act. The first is Section 1106(c) of the Act which 
requires the Secretary to furnish an individual’s most recent 
address, or the address of the individual’s most recent employer, to 
a court or a state or local public assistance agency where the 
individual is sought for purposes of a child support order. 42 U.S.C. 
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1306(c). See 20 C.F.R. 401.3(g) (3) and (4). The second, found in 
Section 290(c) of the Immigration and Nationality Act, provides 
for release of information regarding the identity and location of 
aliens to any official of the Department of Justice charged with the 
administration of Title II of that Act. 8 U.S.C. 1360(c). See 20 
C.F.R. 401.3(p). 

Social Security Administration Regulation No. 1, 20 C.F.R. Part 
401, issued under Section 1106 of the Social Security Act, specifies 
with respect to any information “which in any way relates to, or is 
necessary to, or is used in or in connection with, the administration 
of the old-age, survivors, disability, or health insurance programs 
conducted pursuant to Titles If and XVIII of the Social Security 
Act,” what information may be disclosed, under what circum- 
stances and to whom. (No regulation has been issued to prescribe 
permissible disclosure of any information obtained by HEW in the 
course of its administration of the public assistance programs of the 
Social Security Act, viz., under Titles I, IV, V, X, XI, XIV, XVI, 
and XIX. Hence, disclosure of such information is barred by Sec- 
tion 1106(a) of the Act.) The disclosures permitted by SSA Regula- 
tion No. 1 relate primarily to situations in which: the claimant or 
his representative gives authorization; disclosure is necessary for a 
social security program purpose; any official of the Treasury De- 
partment or the Department of Justice charged with administration 
of Titles I, VIII or IX of the Social Security Act, or certain contri- 
bution and revenue laws, needs information for the purpose of such 
administration; any Federal official charged with administration of 
public assistance, retirement or other benefit payment programs 
needs information for the purpose of such administration; any State 
or local agency official charged with administration of various 
Federally-aided public assistance programs needs information for 
the purpose of such administration; any authorized Federal official 
is engaged in investigation or prosecution of a criminal violation of 
the Act or certain contributions and revenue laws; and the Federal 
Bureau of Investigation or the U.S. Secret Service is engaged in 
investigation or prosecution of threat or act of espionage, sabotage 
or other similar act inimical to national security and certifies in 
wniting that the information requested is required in an investiga- 
tion of major importance to protect national security. The fore- 
going and certain other situations when information may be dis- 
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closed are specified in careful detail in the Regulation. 20 C.F.R. 
401.3. 

A criminal statute of government-wide applicability provides 
criminal penalties for unauthorized disclosure of specified classes of 
information by government officers and employees. This statute 
states: 


Whoever, being an officer or employee of the United States 
or of any department or agency thereof, publishes, divulges, 
discloses, or makes known in any manner or to any extent not 
authorized by law any information coming to him in the 
course of his employment or official duties or by reason of 
any examination or investigation made by, or return, report or 
record made to or filed with, such department or agency or 
officer or employee thereof, which information concerns or 
relates to the trade secrets, processes, operations, style of 
work, or apparatus, or to the identity, confidential statistical 
data, amount or source of any income, profits, losses, or ex- 
penditures of any person, firm, partnership, corporation, or 
association; or permits any income return or copy thereof or 
any book containing any abstract or particulars thereof to be 
seen or examined by any person except as provided by law; 
shall be fined not more than $1,000, or imprisoned not more 
than one year, or both; and shall be removed from office or 
employment. 18 U.S.C. 1905. 


Its principal focus appears to be the protection of commercial 
secrets, but the reference to “identity. . .of any person” and “‘con- 
fidential statistical data” might provide some possibility of employ- 
ing this statute in cases of unauthorized disclosure of personal data. 
In any case, however, it merely provides a criminal penalty for 
disclosing information “in any manner or to any extent not author- 
ized by law.” It does not of itself impose an obligation of nondis- 
closure and does not qualify as a statutory exemption from dis- 
closure under exemption (3) of the Freedom of Information Act 


(p. 273 above). 


Constraints on Grantee Behavior 


In some instances HEW’s program authority makes explicit statu- 
tory provision for the handling of personal information obtained by 
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HEW grantees. For example, the Social Security Act requires that 
State plans for the programs of Old Age Assistance, Aid to the 
Blind, Aid to the Permanently and Totally Disabled, Aid to the 
Aged, Blind or Disabled, and Medical Assistance for the Aged, pro- 
vide safeguards which permit the use or disclosure of information 
concerning applicants or recipients only to public officials who re- 
quire the information in connection with their official duties, or to 
other persons for purposes directly connected with the administra- 
tion of the plan. Social Security Act, § 2(a)(7), 42 U.S.C. 
302(a)(7); § 1002(a)(9), 42 U.S.C. 1202(a)(9), § 1402(a)(9), 42 
US.C. 1352(a)(9); § 1602(a)(7), 42 U.S.C. 1382(a)(7). State plans 
for Aid to Families with Dependent Children and for Medical 
Assistance must provide safeguards limiting use or disclosure of 
information to purposes directly connected with the administration 
of the plan. Social Security Act, § 402(a)(9), 42 U.S.C. 602(a)(9) 
and § 1902(a)(7), 42 U.S.C. 139a(a)(7). All the Public Assistance 
programs of the Social Security Act had, until the Social Security 
Amendments of 1972 (P.L. 92-603, October 30, 1972) the same 
limitation on disclosure found in sections 402 and 1902. Those 
Amendments broadened the access for all the programs except 
AFDC and Medical Assistance, to permit public officials access to 
information about applicants and recipients. P.L. 92-603, § 413. 
The Amendments also provided the broader access in the new 
program of Grants to States for Services to the Aged, Blind, or 
Disabled, under a new Title VI which will go into effect on January 
1, 1974. 8 602(a)(6). The States’ obligations with respect to 
information about recipients in the public assistance programs 
(other than Medical Assistance) are modified by § 618 of the 
Revenue Act of 1951, 42 U.S.C. 302 note, which allows States to 
have legislation allowing access to records of disbursement of public 
assistance funds as long as the legislation “prohibits the use of any 
list or names obtained through such access to such records for 
commercial or political purposes.” 

HEW implementation of the requirements for safeguarding infor- 
mation is found in 45 C.F.R. 205.50. This regulation is in the 
process of revision to take account of the 1972 amendments. 

The behavior of States in handling information in Public As- 
sistance programs is further constrained by Department instructions 
on how the States may determine eligibility. Under 45 C.F.R. 
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206.10(a)(12), a State agency must get the applicant’s consent 
before consulting records about the applicant. Under a recent 
proposal (37 Fed. Reg. 28189, Dec. 21, 1972), States would have 
been permitted to consult public records (.e., records of any public 
agency, whether or not available for public inspection), without 
seeking consent. A more recent proposal (38 Fed. Reg. 9819, April 
20, 1973) would remove Federal restrictions on State behavior in 
this area be eliminating from 45 C.F.R. 206.10 any reference to 
consultation of records. If this proposal is adopted, the resulting 
flexibility would permit States to consult any records without 
seeking consent. 

Three grant programs in the health field carry their own specific 
restrictions on grantee handling of patient data. The Venereal 
Disease Prevention and Control Program under § 318 of the Public 
Health Service Act, 42 U.S.C. 247c, (added by P.L. 92-449) has a 
requirement that information about the examination, care, OF 
treatment of any individual carried out under the grant program 
“shall not, without such individual’s consent, be disclosed except as 
may be necessary to provide service to him... « There is specific 
provision for disclosure of statistics, or for “clinical or research 
purposes” as long as the individual’s identity is not disclosed. 

Two programs under Title XI of the Public Health Service Act 
provide grants for screening, counseling, and some treatment for 
sickle cell anemia and Cooley‘s anemia, two genetic blood disorders. 
The applicants for the grants “shall—. ..(2) provide for strict 
confidentiality of ali test results, medical records, and other 
information regarding screening, counseling, or treatment of any 
person treated, except for (A) such information as the patient (or 
his guardian) consents to be released, or (B) statistical data 
compiled without reference to the identity of any such patient. a 
§ 1104(a)(2) and § 1 113(a)(2) of the Public Health Service Act; 42 
U.S.C. 300b-3(a)(2) and 300c-2(a)(2). 

The Social Security Amendments of 1972 added a new Part B to 
Title XI of the Social Security Act. This authorizes the Secretary to 
enter into agreements with organizations to review, from a technical 
and professional standpoint, the necessity and quality of medical 
services for which payment may be made under the Social Security 
Act. (This includes Medicare, Medicaid, and certain child health 
programs.) These organizations will be nonprofit associations of 
physicians, or other organizations found able to perform the task, 
and are designated Professional Standards Review Organizations. 
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Certain obligations with respect to confidentiality are imposed 
by the statute. Under § 1155(a)(4), 42 U.S.C. 1320c-4(a)(4), these 
organizations must arrange for the maintenance and review of 


profiles of care and services received and provided with respect 
to patients, utilizing to the greatest extent practicable in such 
patient profiles, methods of coding which will provide maxi- 
mum confidentiality as to patient identity and assure objective 
evaluation consistent with the purposes of this part. 


There is a prohibition on disclosure of information in § 1166, 42 
U.S.C. 1320c-15, which is somewhat similar to the one in § 1106. 
Under § 1166, data or information acquired by any Professional 
Standards Review Organization shall be held in confidence and not 
disclosed except as necessary to carry out the purposes of the pro- 
gram, or under “such circumstances as the Secretary shall by regula- 
tions provide to assure adequate protection of the rights and in- 
terests of patients, health care practitioners, or providers of health 
care.” Fine, imprisonment, and the costs of prosecution are pro- 
vided as penalties. 

Section 305(a) of the Public Health Service Act authorizing the 
Secretary to conduct the National Health Surveys and Studies, 42 
U.S.C. 242C (pp. 263-264, above) includes the following constraint 
added by P.L. 91-515: 


No information obtained in accordance with this paragraph 
may be used for any purpose other than the statistical pur- 
poses for which it was supplied except pursuant to regulations 
of the Secretary; nor may any such information be published 
if the particular establishment or person supplying it is identi- 


fiable except with the consent of such establishment or per- 
son. 


Explicit provision to authorize constraints on disclosure of per- 
sonal information in research relating to drugs is found in § 303(a) 
of the Public Health Service Act, 42 U.S.C. 242a, as follows: 


The Secretary may authorize persons engaged in research on 
the use and effect of drugs to protect the privacy of indi- 
viduals who are the subject of such research by withholding 
from all persons not connected with the conduct of such re- 
search the names or other identifying characteristics of such 
individuals. Persons so authorized to protect the privacy of 
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such individuals may not be compelled in any Federal, State, 
or local civil, criminal, administrative, legislative, or other pro- 
ceedings to identify such individuals. 42 U.S.C. 242a. 


Similar authority with respect to alcohol research is found in § 
333 of the Comprehensive Alcohol Abuse and Alcoholism Preven- 
tion, Treatment, and Rehabilitation Act of 1970. 42 U.S.C. 4582. 
The Attorney General has similar authority with respect to drug 
research under § 502(c) of the Comprehensive Drug Abuse Preven- 
tion and Control Act of 1970, 21 U.S.C. 872(c). In these author 
ities, the authorization to hold data confidential may be given to 
anyone conducting the specified research; there is no requirement 
of Federal connection. The authorization with respect to drug re- 
search has been given to Federal employees not in HEW and to 
employees of an OEO-fuinded project with no HEW connection, 37 
Fed. Reg. 21547, Oct. 12, 1972, and to employees of HEW contrac- 
tors doing alcoholism research. 37 Fed. Reg. 28310, Dec, 22, 1972. 

Availability of Public Health Service records and information is 
governed by 42 C.F.R., Part 1. Clinical information as defined is 
confidential and is available “...only as necessary for the per- 
formance of the functions of the Service” or in certain limited 
instances, such as to a patient or his designee upon a reasonable 
showing of need; to a government agency which requested or ar- 
ranged for examination, care or treatment service facilities; or to 
State or public health agencies ‘engaged in collecting data regarding 
disease.” 42 C.F.R. 1.102. In addition, upon a court order, clinical 
information shall be disclosed in accordance with applicable local 
law regarding confidentiality of physician-patient communications. 

When non-clinical information has been obtained under an as- 
surance of confidentiality, it may be disclosed only with the con- 
sent of the person or agency to whom the assurance was given or 
when the Secretary determines that disclosure is necessary to pre- 
vent “an epidemic or other grave danger to the public health” or in 
a legal action brought against the Government. 42 C.F.R. 1.103. 

The regulations contain additional limitations on release of 
records and information concerning actions of advisory councils; 
regulatory programs such as licensing of biological products; con- 


duct of research projects; and applications for employment or Fed- | 


eral support. 
Six other regulations provide limitations on dissemination of in- 


formation. 
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42 C.F.R. 200.12 provides that State Plans for maternal and 
child health and crippled children’s programs shall provide for desig- 
nation of all personal information as confidential with suitable regu- 
lations and safeguards to be provided. However, information which 
does not identify particular individuals may be disclosed in sum- 
mary or statistical form. 

42 C.F.R., Part 3 provides, among other conditions, that the 
Special Statistical Services of the National Center for Health Statis- 
tics may be furnished provided that “the data or statistics requested 
are not confidential.” 


42 C.F.R., Part 300 provides that the records of Saint Elizabeth’s 
Hospital are confidential and may be disclosed only upon a court 
order or if the Superintendent determines that it would “not be 
intmical to the public interest or to the welfare of the patient.” 42 
C.F.R. 300.2. 

21 CF.R., Part 4 provides for procedures to be followed by 
persons desiring to obtain records and information of the Food and 
Drug Administration not specifically available under the Freedom 
of Information Act and the Department’s implementing regulations. 
. The Food and Drug Administration (FDA) regulation governing 
uvestigational new drugs and approved new drugs specifically pro- 
vides that the identity of individual patients need not be divulged 
by a clinical investigator physician unless the records of particular 
subjects require a more detailed study by FDA personnel of the 
case history or unless there is reason to believe that the records do 
not represent actual cases studied or do not represent actual results 
obtained. 21 C.F.R. 130.3(a)(12), 130.3(a)(13), and 130.13(c). 

Disclosure of individual information obtained in the adminis- 
tration of the Social and Rehabilitation Service repatriation as- 
sistance program, authorized by Section 1113 of the Social Security 
Act, 42 U.S.C. 1313, is carefully constrained by regulation for the 
benefit of assisted individuals. 45 C.F.R. 212.9. 


Other Limitations 


In addition to the statutes and regulations discussed above, guide- 
lines relating to disclosure of information exist in many other forms 
including manuals, circulars and instructions, policy statements, 
contract clauses, and assurances on data collection forms. Many of 
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these develop and enlarge upon the policies and procedures which 
are prescribed in statutes and regulations. In other instances, these 
guidelines have been promulgated in the absence of any specific 
statutory or regulatory provisions. Examples of such guidelines are 
as follows. 

The National Center for Health Statistics (NCHS) has issued a 
comprehensive policy statement on release of data. Simply stated, 
this policy is one of “absolute and uncompromising protection of 
confidentiality. ..with respect to data supplied by respondents as 
privileged communications.” Data are never to be released in a man- 
ner in which a respondent’s identity is revealed, but rather only as 
aggregate statistics. Detailed procedures for handling particular 
classes of data or programs are provided. Furthermore, there are 
restrictions placed on the use of the statistics themselves so that 
there will be no misuse or misrepresentation. The NCHS requires a 
pledge in each contract that confidentiality of records will be main- 
tained and that access to data will be strictly limited. A document 
signed by Surgeon General L.E. Burney on February 26, 1957 and 
published in the Federal Register, 22 Fed. Reg. 1687 (March 15, 
1957), underscores the guarantees. This is supplemented by another 
similar assurance published in May, 1959. 24 Fed. Reg. 4061 (May 
20, 1959). Furthermore, most data collecting questionnaires carry a 
confidentiality assurance. All persons engaged in data-collecting ac- 
tivities with NCHS must also sign an affidavit guaranteeing non 
disclosure. 

Health Services and Mental Health Administration Circular No. 
71.1 entitled, ‘‘Assurances of Confidentiality Given in Obtaining 
Information” sets out the Public Health Service policy for the 
Health Services and Mental Health Administration (HSMHA) gov- 
erning when such assurances shall be given, what form the assurance 
shall take and what the responsibilities are with respect to informa 
tion collected subject to the assurance. 

In situations where information is collected and stored by third 
parties under contracts with HEW, generally either the contracts 
themselves or contract guidelines include confidentiality provisions. 
The Community Care Contract Agency Series, guidelines prepared 
by the Narcotic Addict Rehabilitation Branch of the National Inst 
tute of Mental Health, provide that the records maintained for each 
patient will be kept confidential and that release of information, 
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other than to government program personnel and the Federal 
courts, will be permitted only with the patient’s signed consent. 

Social Security Administration (SSA) contracts with intermedi- 
aries and carriers, e.g., Blue Cross, include clauses directing them to 
adopt policies and procedures to insure that information obtained 
in carrying out their functions under the Social Security Act shall 
be used and disclosed solely as provided in SSA Regulation No. }! 
(p. 275, above). Furthermore, the contractors must agree to include 
in all subcontracts disclosure clauses identical to those in their own 
contracts. 

The Social Security Claims Manual, SSA’s operating instructions 
for its employees, contains an entire chapter devoted to disclosure 
of information. See Ch. 7300. This chapter, is keyed to the regula- 
tions, 20 C.F.R., Part 401, and covers in rigorous detail, circum- 
stances under which disclosure is allowed. 

The Social Security Handbook, which does not have the force of 
law, contains nine pages bearing directly upon the subject of what 
information SSA may or may not disclose under specified condi- 
tions and circumstances. Handbook, §§ 141-153 and 1701. The 
Handbook was published to provide a detailed explanation of the 
social security program to the public and it does not reflect changes 
in the regulations since early 1968. 

A guide to policies governing the provision of special statistical 
information, records, and related materials created pursuant to Sec- 
tion 417 of the General Education Provisions Act, 20 U.S.C. 1231f 
(p. 262, above), was adopted by the Office of Education in March, 
1972. 37 Fed. Reg. 6218 (March 25, 1972). The basic policy is ‘“‘to 
make. . .collected statistical information available. ..as widely and 
promptly as possible” subject to certain constraints including non- 
violation of confidentiality of data. 


Permanent Storage and Disposal of Information 


A comprehensive statutory scheme vests authority for manage- 
ment of Federal government records in the General Services Admin- 
istration (GSA) including generally supervising each agency’s record 
keeping, setting standards for selective retention of records, estab- 
lishing centers for storage, processing and servicing of records, and 
finally, regulating and handling the ultimate disposal or permanent 
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storage of all government records. 44 U.S.C. 2901-2910 and 44 
U.S.C. 3301-3314. 

Records that contain information that is subject to confiden- 
tiality restrictions remain subject to such protection when trans- 
ferred to GSA, as provided by a regulation that states: 


Whenever any records that are transferred are subject to re- 
strictions upon their use, imposed pursuant to statute, Execu- 
tive order, or agency determination, such restrictions shall 
continue in effect after the transfer. Restrictions imposed by 
agency determination may be removed by agreement between 
the agencies concerned. 41 C.F.R. 101-11.409-8. 


Personnel Information Activities 


In addition to the authority to collect personne] information to 
fulfill general Departmental administrative responsibilities (pp. 
260-261, above), there is a duty imposed upon the Department to 
collect personnel information to fulfill Civil Service Commission 
(CSC) requirements. Under the provisions of 5 U.S.C. 2951 and 
Executive Order 10577, HEW is required periodically to provide 
various personnel-related reports to the Civil Service Commission. 
Section 7.2 of Civil Service Rule VII provides that: 


Each agency shall report to the Commission, in such manner 
and at such times as the Commission may prescribe, such per- 
sonnel information as it may request relating to positions and 
officers and employees in the competitive service and in the 
excepted service, whether permanent or career, career 
conditional, indefinite, temporary, emergency, or subject to 
contract. 5 C.F.R. 7.2. 


The data required for these reports »re essentia'ly those supplied on 
the CSC Standard Form 50, Notification of Personnel Action. That 
information consists of basic personal data (name, sex, birth date); 
basic employment data (grade, dates of entrance into service and of 
potential promotion, pay plan and occupation code, insurance 
codes, type of personnel actions taken); veteran preference code 
and handicap code. See Federal Personnel Manual, Chapter 291. 
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Civil Service Commission regulations deal extensively with the 
maintenance of personnel records. The regulations require establish- 
ment of an Official Personnel Folder for each employee, 5 C.F.R. 
293.202, which Folder is under the jurisdiction and control of and 
part of the records of the Civil Service Commission. 5 C.F.R. 
293.203. In these Folders each agency is obliged to maintain re- 
ports of selection and other personnel actions as listed in 5 U.S.C. 
2951 and also other records as required by Commission instruc- 
tions. 5 C.F.R. 293.204. There is a provision relative to removal of 
records of only temporary value from the Folder. 5 C.F.R. 
293.209. 

Another requirement for collection of information about Federal 
employees is found in 5 C.F.R. 713.302 which calls for periodic 
reporting of employment statistics by race and national origin. CSC 
regulations provide that data as to race or national origin may be 
collected only by visual identification. 5 C.F.R. 713.302(b). In ad- 
dition, anyone having the authority to take or recommend per- 
sonnel action in the competitive service is prohibited from making 
any inquiry concerning race, religion, or political affiliation of any 
employee in, or any eligible or applicant for, the competitive 
service. 5 C.F.R. 4.2. 


The disclosure of information collected for personnel purposes is 
limited by statutes and regulations as follows. The Freedom of 
Information Act specifically exempts from public disclosure mat- 
ters 


related solely to the internal personal rules and practices of an 
agency....[and] personnel and medical files and similar files 
the disclosure of which would constitute a clearly unwarranted 
invasion of personal privacy. 5 U.S.C. 552(b)(2) and (6). 


These sections are amplified in regulations of both the Civil Service 
Commission, 5 C.F.R. 294.103, and the Department, 45 C.F.R. 
5.72 and 5.76 (p. 274, above). 

The general policy of the Civil Service Commission is to make 
information available unless disclosure would constitute a clearly 
unwarranted invasion of personal privacy or is otherwise prohibited 
by law. Medical information may not be made available without the 
individual’s written consent, 5 C.F.R. 294.401, nor may informa- 
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tion from annual and sick leave records, 5 C.F.R. 294.1101. Names, 
present and past positions, titles, grades, salaries and duty stations 
of government employees are publicly available, except when re- 
lease of such information is prohibited by law or Executive order or 
when the information is sought for commercial or other solicitation 
or for political purposes. Employee’s name, address, Sociat Security 
number, and amount of Federal compensation are furnished to 
State or local taxing authorities pursuant to Office of Management 
and Budget Circular No. A-38, Revised. In addition, limited infor- 
mation may be made available to prospective employers and home 
address shall be made available to a police or court official for the 
purpose of service of a summons, warrant, subpoena or other legal 
process. Approved educational and historical researchers may be 
granted limited access to information about separated employees 
which is stored with the General Services Administration; however, 
information that is derogatory to the former employee shall not be 
made available under this provision. 5 C.F.R. 294.702. With the 
exception of certain medical information, test material, and investi- 
gative reports, employees, former employees, and their representa- 
tives or other persons having their consent may have access to their 
Official Personnel Folders. Finally, Official Personnel Folders are, 
with limitations on material relating to loyalty and security, of- 
ficially accessible to members of Congress, representatives of Con- 
gressional committees and subcommittees, government officials of 
the District of Columbia and Federal executive branch officials. 5 
C.F.R. 294.703. Provision exists for limited disclosure to the parties 
concerned and to the public of information from administrative 
appeal and complaint files established for purposes of employee 
grievances and administrative appeals. 5 C.F.R. 294.801. 
Instructions, letters and bulletins are issued by the Civil Service 
Commission periodically to amplify, update, and reinforce the re- 
quirements provided in statutes and regulations. The instructions of 
the Civil Service Commission, found in the Federal Personal Manual 
(FPM), are issued under the authority of Executive Order 10561 
and under the regulations discussed above. They apply to all execu- 
tive departments and agencies. Chapter 290 of the FPM, added in 
1969; is designed to guide agencies in the use of automated data 
processing in personnel administration. It discusses modifications of 
standard forms necessary or desirable when automated processing is 
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used and also lists data elements necessary to meet reporting re- 
quirements, FPM, Ch. 290, Appendix A, and- mandatory and op- 
tional data elements when an automated system is used. FPM, Ch. 
290, Appendix B. 


Appendix H 


Mailing Lists 
DANIEL H. LUFKIN* 


I would to God thou and I knew where a commodity of good names 
were to be bought. 


—Falstaff 
Henry IV, Part I, f, ii. 


If Falstaff had waited five hundred years, he would have had no 
difficulty at all in buying all the names he wanted, for names, like 
any other commodity, are bought, sold, rented, and traded in the 
lively, mercurial industry of direct-mail advertising. Probably no 
other application of electronic data processing has had a broader 
effect upon so large a population as the headlong computerization 
of the mailing list. The United States Postal Service handles slightly 
more than one piece of mail per day for every man, woman, and 
child in the country. About a quarter of the volume moves as 
third-class matter; i.e., printed material that is neither a periodical 
nor a book. In practice, nearly all third-class mail is advertising or 
appeals for funds. 


*Staff Consultant to the Committee 
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Since its origin a century ago, the direct-mail industry has grown 
to represent an advertising expenditure of about $3 billion per year, 
or about one-seventh of the total national advertising volume. Mail 
advertising moves about $50 billion annually in goods and services, 
or roughly 5 percent of the Gross National Product. Divided among 
the 260,000 holders of Postal Service bulk third-class permits, this 
represents an average annual volume of business of about $200,000 
per holder. A Department of Commerce estimate that only a tenth 
of all permit holders have more than 100 employees, and only half 
have more than 10, supports the industry’s contention that it is 
dominated, numerically at least, by small firms operating locally. 
The largest single class of mailings, accounting for slightly less than 
10 percent of the total, is magazine subscription offers. 

Although direct-mail advertising is one of the more common ex- 
periences of everyday life, public attitudes toward it are studded 
with inconsistencies and contradictions, likely reflecting the fact 
that few people give it much thought one way or the other until 
they are asked a specific question by an interviewer. Even then, the 
dissonance of being intruded upon by a survey on privacy may well 
distort the replies. In privacy-minded Britain, for example, only 
about 2 percent of the respondents in the Younger Committee’s 
survey spontaneously mentioned that their privacy had been in- 
vaded through the mail, and much of that response was apparently 
prompted by recent (1970) saturation mailings advertising sex man- 
uals and the Reader’s Digest (in separate mailings, of course).’ In 
the United States, a Nielson survey found that 87 percent had no 
objection to being addressed as “‘occupant”’.? In a survey on behalf 
of the American Federation of Information Processing Societies 
(AFIPS), however, 63 percent of the respondents voted for a de- 
crease in “using computers to send mail advertisements to the 
home,” and 84 percent felt that the Government should be con- 
cerned with that use.? 


‘Report of the Committee on Privacy, Rt. Hon, Kenneth Younger, Chairman, 
(London: H. M. Stationery Office}, 1972, pp. 123, 125-127. 

2 Factsheet: Direct Mail Advertising (New York: Direct Mail Advertising Association), 
1973, p. 2. 

3 American Federation of Information Processing Societies and TIME magazine, A 
National Survey of the Public’s Attitudes Toward Computers (New York: AFIPS-TIME, 
Inc,), 1971. The summary is discussed in Alan F. Westin and Michael A, Baker, Databanks 
ina Free Society (New York: Quadrangle Books), 1972, pp. 481-484. 
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Since privacy, like happiness, is essentially a subjective state, it is 
not easy to frame the arguments against direct-mail advertising in 
legal or procedural terms. The arrival of the mail itself is scarcely 
an intrusion, since one is free to throw it away unread. The argu- 
ment on the simple ground of annoyance has not been upheld by 


the courts. 


The mail box, however noxious its advertising contents often 
seem to judges as well as other people, is hardly the kind of 
enclave that requires constitutional defense to protect “the 


privacies of life!’’* 


Iago’s claim of ‘‘He that filches from me my good name Robs me of 
that which not enriches him And makes me poor indeed,”’® is popu- 
lar but fails on the grounds that one’s name is not ordinarily dam- 
aged by use in a mailing list and that the use does indeed enrich the 
lister. 

In those exceptional cases in which the name does suffer damage 
because the character of the mailing holds the addressee in a false 
light, as when sexually oriented matter fails to arrive in a plain 
brown wrapper, the common law does afford the addressee the 
same rights of action as in any other case of defamation. A Federal 
statute furthermore allows a person to specify in advance of any 
intrusion that he does not wish to receive sexually oriented adver 
tisements through the mail.® 

An individual who desires to avoid receiving sexually oriented 
mail advertising fills out and submits a Postal Service Form 2201. 
Each adult of 19 or over must submit a separate form, but a parent 
may list up to four children on his own form. These forms are 
processed at Postal Service headquarters and prepared in list format 
as both magnetic tape and printed copy. The lists are made available 
for sale to firms that carry on sexually oriented advertising. The law 
provides a penalty for mailing such advertising to any person who 
has been on the Postal Service list for more than 30 days. (Note 
that this service would be practically impossible to administer with- 
out the use of a computer to compile the list and keep it up to 


*Lamont v. Commissioner of Motor Vehicles, 269 Fed. Supp. 880, 883 (S.D.N.Y. 


1967). 
5 Othello, MII, iii,. 
639 U.S.C. 3010-11. 
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date.) The onus of deciding whether a given advertisement is sex- 
ually oriented is put on the advertiser, who, if he has any doubt at 
all, is unlikely to risk a mailing when he knows that the chance of a 
sale is practically nil, and that he risks criminal prosecution if a 
recipient whose name is listed considers the advertisement objec- 
tionable. 

Another, earlier, statute provides a means for an individual ad- 
dressee to obtain a Postal Service order (i) prohibiting any particu- 
lar mailer from sending him advertisements that’ the addressee, in 
his sole discretion, believes to be “erotically arousing or sexually 
provocative,” (ii) directing the mailer to delete the addressee’s name 
from all mailing lists owned or controlled by the mailer, and (iii) 
prohibiting the mailer from the sale, rental, exchange, or other 
transaction involving mailing lists bearing the addressee’s name.” 

The Direct Mail Advertising Association, Inc., the industry’s 
largest trade organization, also makes a list of people who want to 
be removed from mailing lists. Since the Association excludes mail- 
ers of sexually oriented material from membership, its de-listing 
service is meant to affect ordinary commercial and charitable lists. 
Forms for taking advantage of the Association’s “‘Mail Preference 
Service” are available from its headquarters at 230 Park Avenue, 
New York, New York 10017. According to the DMAA, a consoli- 
dated listing of those who “wish to get out of the mail mainstream” 
is distributed monthly to its approximately 1,600 members. Al- 
though the Association points out that no particular sanctions ap- 
ply to the Mail Preference Service listings, most advertisers are glad 
to remove nonproductive names, since “cleaning” increases the 
trading and rental value of their lists. In fact, most mailers will 
cheerfully remove a name from a list, if the list they are using 
happens to be under their own control and not merely rented from 
a broker. Most mailers, DMAA members and independents both, 
find that requests to be removed from the lists average 3 or 4 
persons per 10 thousand addressees per year. 

If getting off a list takes initiative and a degree of sophistication, 
getting on the list in the first place is so easy as to be practically 
Inevitable for most people. To begin with, both the Direct Mail 
Advertising Association and a number of independent brokers oper- 


739 U.S.C. 3008. 
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ate enlisting services. The Association’s operation lends a symmetry 
to the Mail Preference Service by providing a form to get on mailing 
lists in any of 22 different categories. The independents usually 
place modest classified ads in popular magazines: ‘‘Receive BIG 
mails. Your name on 50 lists, 50 cents”. As one might expect, lists 
compiled from this source include mostly curious teen-agers. Most 
persons join the lists through more indirect, but nonetheless effec- 
tive, paths. 

Almost any action that puts a name and its associated address 
into the hands of a commercial or service organization will put that 
name on a mailing list—subscribing to a magazine, buying an item 
by mail from a magazine advertisement, buying air-travel insurance 
at an airport, joining a professional or scientific society, donating to 
a charity or a political campaign, returning the warranty card from 
a purchase, holding a credit card, or taking out a mortgage. In many 
cases, registering a car, getting born or married, going to school 
(public or private), being in the telephone directory, or qualifying 
for a license as a driver, pilot, or riverboat master will provide all 
the record an entrepreneur needs to add a name to his list.* 

It is this industry practice of compiling lists from official records 
that seems to generate the most consistent opposition to the 
mailing-list industry. However, since administrative records are pre- 
sumed to be public unless otherwise designated, and since openness 
of records serves well-recognized democratic ends, it seems an un- 
necessarily Procrustean solution to restrict access to public records 
merely to make life more complicated for advertisers. In fact, com- 
petitive pressure often forces commercial list agencies to abandon 
public records as too outdated and to develop other sources for the 
same data. Birth records in many jurisdictions, for example, often 
lag as much as 60 days, so that the psychological edge of a fine- 
honed mailing to sell insurance to the new father, for instance, 
would be badly dulled. Most commercial birth lists are compiled 
from private agreements with hospitals (or with hospital em- 
ployees), newspaper birth announcements, or from orders with 
diaper services or dairies. Some of the larger lists, particularly for 


®See Sale or Distribution of Mailing Lists by Federal Agencies, Hearings before the 
Subcommittee on Foreign Operations and Government Information of the Committee on 
Government Operations, U.S. House of Representatives, 92nd Congress, 2d Session, June 
13 and 15, 1972 (Washington, D.C.: U.S. Government Printing Office), 1972. 
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urban areas, are derived from city directories (themselves the prod- 
uct of a private census effort by the R. L. Polk organization), or 
from the telephone book. 

Starting with a raw list of names and addresses from the tele- 
phone book, for example, a listing organization may sort the ad- 
dresses by census tract for a first cut at arranging the list by income. 
Census tracts, the smallest units for which decennial census data are 
regularly published, cover urban neighborhoods of about a thou- 
sand families each. For each tract population, the census reports 
median income and education, average family size, distribution of 
occupations, size and type of housing, and other statistical data that 
permit a fairly accurate estimate (American neighborhoods being as 
homogeneous as they are) of the buying power of every individual 
on the raw telephone-book list. 

So far, making the list has demanded only modest clerical re- 
sources. Although most telephone books are computer-produced to 
begin with, and thus already exist in machine-accessible form, a 
good deal of handwork is required to sort out listings that do not 
conform to the usual structure of names. (Despite the earnest ef- 
forts of mailers and their computer experts, there is a whole class of 
computer stories about the Little Sisters of the Poor, for instance, 
getting offers beginning “Dear Mrs. Little.”) In some towns, this 
handwork is the basis for a sizeable cottage industry. 

Other useful sources of names are the rosters of various license 
holders and professional societies. Lists from these sources allow 
highly selective mailings to advertise specialized books and equip- 
ment. Since most recipients are genuinely interested in the adver- 
tised matter, there is little opposition to direct mail from this 
source, although clubs of stamp and coin collectors take pains to 
protect their members from inadvertently advertising their collec- 
tions to burglars. 

With lists of various sorts to work from, relatively simple com- 
puting equipment will enable a list broker to assemble very special- 
ized mailings. Matching a medical society list against census tract 
addresses against motor vehicle registrations, for example, can easily 
produce a list of physicians in a given suburb who own Oldsmobiles 
more than two years old. A sales message tuned to just that audi- 
ence may have excellent results. 
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In some cases, the computer can be used to generate specialized 
lists from a single mass list like the telephone book. A simple pro- 
gram can print out all addresses for which more than one family 
name is listed to produce a list of apartment-house dwellers. The 
computer may simply replace every name on the list with the word 
“occupant,” trading the benefits of a personalized approach for 
those of easier postal delivery. Computer programs are even avail- 
able which will sort names into ethnic categories. These claim ace 
curacies of better than 75 percent and have been widely used in 
recent political campaigns. 

There is some evidence, however, that this selective computer- 
tuning of advertising may have passed its peak of popularity. In 
part, this may be due to rising concern about personal privacy, but 
it is also likely that the computer-written letter has itself lost some 
of its novelty. Whatever the reason, except for the very largest 
direct-mail firms, mostly magazines, there are few companies that 
find extensive computer work in fine-tuning mailing lists worth the 
expense of a special automated facility. The managers of the small 
and middle-sized firms that account for the bulk of direct-mail 
advertising usually prefer to work from “fresh” lists of people who 
have recently bought merchandise through the mails. A list may 
well have originated from a completely different kind of product or 
service (in fact, direct competitors usually do not exchange lists and 
even “salt” their own lists with the names of friends who will watch 
their mail for unauthorized use), but freshness and accuracy of 
addresses are considered more valuable than affinity. Since about 
20 percent of the U.S. population changes address each year, the 
useful life of any list is ephemeral. Unless the fixed costs of the 
computer operation can be shared with payroll, inventory, and 
other conventional business tasks, sophisticated computer pro- 
cessing of mailing lists is not economically practical for most firms. 

To what extent should the safeguards suggested by the Secre- 
tary’s Advisory Committee on Automated Personal Data Systems 
apply to the direct-mail industry? We have found no evidence that 
direct-mail advertising is anything more than an annoyance to a 
smal] part of the population. That smail part, however, deserves its 
share of reasonable protection. Furthermore, there is no way of 
knowing whether the number of annoyed people today will grow as 
an increase in computer-tuned mailing begins to vex those who are 
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now neutral about it. Certainly it should be easier to deal with such 
an eventuality if pains are taken now to understand the present 
situation. 

An underlying function of the Advisory Committee’s recom- 
mended safeguards is to provide effective feedback mechanisms that 
will help to make automated personal data systems more responsive 
to the interests of individuals. Systems maintained by most govern- 
ment agencies, and by many private organizations, do not now 
provide for tight links between individuals and the system oper- 
ators. The direct-mail industry, however, is largely organized around 
the idea of public feedback; the trade press concentrates almost 
obsessively on methods for maximizing response and minimizing 
complaints. 

Because most mailings draw a response from only 3 or 4 percent 
of the addressees, a small change in the response rate can have 
relatively large economic implications for the mailer. The same is 
true for the compilers and brokers of mailing lists, because the price 
a list commands in the rental market depends not so much on its 
demographic sophistication as on its accuracy and freshness. Lists 
are cleaned by adding a special imprint to the mailing which gives 
the Postal Service authority to correct and return (at first-class 
rates) all undeliverable pieces. Since it costs about four times as 
much to discover and correct a “nixie” as it does to make a clean 
mailing in the first place, there is a powerful economic incentive to 
concentrate lists on known buyers at addresses of known accuracy. 

Another feedback mechanism operates on the industry as a 
whole. Direct-mai!l advertising is strongly dependent for survival on 
the official good will of a large number of agencies of the govern- 
ment; opposition from the Postal Service, from motor vehicle regis- 
trars,or from the Census Bureau,to name a few examples, would 
seriously hamper the industry on its present scale. It seems likely 
that a scandal involving public records, or the development of a 
public allergy to direct-mail advertising, would lead to government 
moves to put constraints on the industry. 

Constructive publicity toward emphasizing the rights of the indi- 
vidual relative to direct-mail advertising, especially the methods the 
industry has adopted for getting off and getting on the larger lists, 
would go far in strengthening these feedback mechanisms that al- 
ready operate. In particular, the Direct Mail Advertising Associ- 
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ation’s Mail Preference Service deserves wider attention. Although 
the Association claims that the service has received wide publicity 
throughout the country, it does not seem to have made a very deep 
impression on the public mind. This may reflect the persistent an- 
tagonism between the direct-mail industry and newspapers and mag- 
azines. Competition for the advertising dollar has often led periodi- 
cals to adopt a jaundiced editorial view of “junk mail,” and it may 
therefore be that the Mail Preference Service will have to be pub- 
licized mainly through official, especially Postal Service, channels. 

If feedback mechanisms stronger than those provided by the eco- 
nomics of the industry should become desirable, there would be 
formidable practical difficulties in applying the Committee’s safe- 
guards to the freewheeling small operators of the direct-mail indus- 
try. The most directly applicable of the Commiitee’s safeguards is 
the requirement for the informed consent of the data subject to be 
obtained before any collateral use may be made of data from an 
administrative personal data system. To accomplish this, forms that 
are used by the system in transactions with individuals (applica- 
tions, for example), and that are vulnerable to mailing-list uses, 
could be printed with a block in which the individual—by his de- 
liberate action—could indicate whether or not his name and address 
could be sold or otherwise transferred to another data system for 
mailing-list use. Of course, this could not prevent his name and 
address from being copied by hand out of a public record system, 
but the cost of such handcopying would sharply curtail! much com- 
mercial use. 

In view of the controls already at work in the direct-mail adver- 
tising industry, this limited application of the Committee’s safe- 
guards seems sufficient. It would provide protection to individuals 
from having their names unexpectedly appear on mailing lists with- 
out their consent. We doubt the utility and feasibility of trying to 
make the rest of the Committee’s proposed safeguard requirements 
apply to mailing lists as such, as a form of administrative automated 
personal data system, or to organizations that deal only in mailing 
lists. If the control of mailing lists is to be undertaken by law, it 
should be done by legislation that is directed specifically to that 
purpose. Any attempt to do so by less direct means, such as 
through the application of all the Committee’s safeguards, would be 
likely to prove ineffectual, unless the courts come to place a value 
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on mailbox privacy far higher than that reflected in the Lamont 
case cited earlier.? Long before that would have occurred, popular 
feeling against intrusion on personal privacy would have had to rise 
to such a pitch that the direct-mail business would already have 
become, for the first time, flat, dull, stale, and unprofitable. 

If the foregoing analysis of the situation underestimates the felt 
need for greater mailbox privacy, it would be feasible to undertake 
specific legislative action against the direct-mail advertising industry 
to provide greater protections, as the regulation of information 
practices in the consumer-reporting industry amply demonstrates. 


* Note 4, p. 290, above. 
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Title 18 ULS.C., 259, 276 

Trade secrets, 65, 273 


Unemployment compensation, 115 
Unfair information practice, see Code of 
Fair Information Practice 
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U.S, Bureau of the Budget, 116; see also 
U.S. Office of Management and 
Budget 

U.S. Bureau: of Customs, 232 

U.S. Bureau of the Census, 73, 89, 90, 
94, 179, 199-201, 295 

U.S. Civil Aeronautics Board, 69n, 

U.S. Civil Service Commission, 116-117, 
119, 259, 272, 284-287 

U.S. Commission of Education, 261, 262 
U.S. Commissioner of Internal 
Revenue, 115, 118 

U.S. Commissioner of Social Security, 
119, 127, 128 

U.S. Commissioner on Aging, 267 

U.S. Congress, xxxiii, 69, 90n., 120, 
124, 125, 179ff., 214, 219, 234n., 
245, 246, 259, 268; legislative pro- 
posals to, 136-138, 243-245, 246. 

U.S. Constitution, Article I, Sec, 2, 178, 
179; First Amendment, 34, 241; 
Third Amendment, 34; Fourth 
Amendment, 34; Fifth Amendment, 
34, 241, 242; Ninth Amendment, 34; 
Fourteenth Amendment, 241-242, 

U.S. Department of Commerce, 289 

U.S. Department of Health, Education, 
and Welfare, 24-28, 44-45, 94, 106, 
138-143; Administration on Aging, 
259n., 267; Office for Civil Rights, 
259n., 269; Office of Child Deve 
lopment (OCD), 259n., 268; Office 
of Human Development, 259n,; 
Office of the Secretary (OS), 
142-143, 259n.; Office of Youth 
Development (OYD), 259n.; record- 
keeping law, 258-287; Public Infor- 
mation Regulation, 273-274; see also 
Health Services and Mental Health 
Administration; National Center for 
Health Statistics; National Institute 
of Education; National Institutes of 
Health; National Institute of Mental 
Health, 

U.S, Department of Housing and Urban 

Development, 237 
U.S. Department of Justice, 222, 234, 
245; see also, Federal Bureau of 
Investigation 

U.S. Department of Labor, 270 

U.S. Department of State, 183, 188 
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"U.S. Department of Transportation, 


15-17, 120, 203ff 


U.S, Department of the Treasury, 114, 


118, 120, 186, 232; see also, Internal 
Revenue Service 

U.S. Federal Trade Commission, 69n., 
138 

U.S. Food and Drug Administration 
(FDA), 258n., 259n., 281 

U.S. Immigration and Naturalization Ser- 
vice, 232 

U.S. Interstate Commerce Commission, 
69n, 

U.S. Office of Education, 259-259n., 
283 

U.S. Office of Federal Contract Com- 
pliance, 269 

U.S. Office of Management and Budget, 
141, 270-271; 286; see also, US. 
Bureau of the Budget 

U.S. Postal Service, 72, 73, 289-290, 295 

U.S. Public Health Service, 119, 258n., 
259n. 

U.S. Secret Service, 232, 275 

U.S. Social & Rehabilitation Service 
(DHEW), 120, 259, 281 

U.S. Veterans Administration, 119; see 


also General Accounting Office; 
General Services Administration 
U.S. v. Moriarity, 180, 199-200 


Van Buren, Martin, 187 

Velde, Richard W., 228 

Venereal Disease Prevention and Control 
Program, 278 

Virgin Islands, 208 

Virginia, Commonwealth of, 188, 211 


Wagner, Jacob, 183 

Walker, Francis Amasa, 193-1 94, 196 
Washington, George, 181 

Weaver, William A., 188 

Weisner, Jerome, 225 

Welfare records, see Records 
Wiretapping, 29, 172 

Wright, Carroll D., 198 


Younger Committee (U.K.), 173-174, 
289 
Younger, Rt. Hon. Kenneth, 173n. 


